b"     Office of Inspector General\n     for the Millennium Challenge Corporation\n\n\n                                                        June 1, 2011\n\n\nMr. Daniel W. Yohannes\nChief Executive Officer\nMillennium Challenge Corporation\n875 Fifteenth Street, N.W.\nWashington, DC 20005\n\nDear Mr. Yohannes:\n\nEnclosed is the final report on the Risk Assessment of the Millennium Challenge Corporation\xe2\x80\x99s\nInformation Technology Governance Over Its Information Technology Investments (Report\nNo. M-000-11-001-O). The Office of Inspector General (OIG) contracted with the independent\ncertified public accounting firm of Clifton Gunderson LLP (Clifton Gunderson) to conduct the risk\nassessment. Clifton Gunderson conducted their risk assessment in accordance with United\nStates Generally Accepted Government Auditing Standards, as amended.\n\nClifton Gunderson determined that MCC\xe2\x80\x99s information technology (IT) governance processes for\nthe selected IT governance areas ranged from maturity level ratings of Initial/Ad hoc through\nManaged and Measurable. Weaknesses in MCC\xe2\x80\x99s IT governance processes may increase IT\nproject costs, lengthen deployment, and deliver solutions that do not satisfy business needs.\n\nAs MCC continues to select and manage its information technology investments, it is important\nto correct weakness and to have formal IT governance. This will assist in ensuring IT objectives\nare correlated with business objectives and IT investments are prioritized and managed to\neffectively support Agency initiatives.       Therefore, Clifton Gunderson\xe2\x80\x99s report makes\n23 recommendations to help MCC achieve an appropriate level of information technology\ngovernance and control. In addition, Clifton Gunderson\xe2\x80\x99s report makes 17 suggestions to help\nMCC implement best practices which are of lesser priority. Although OIG will not formally track\nthe suggestions, MCC should consider prioritizing and implementing them, as appropriate.\n\nIn carrying out its oversight responsibilities, the OIG reviewed Clifton Gunderson\xe2\x80\x99s report and\nrelated risk assessment documentation.           The OIG\xe2\x80\x99s review, as differentiated from an\n\n\n\nMillennium Challenge Corporation\n1401 H. Street N.W. Suite 770\nWashington, DC 20005\nwww.usaid.gov/oig\n\x0c                                             -2-\n\naudit in accordance with U.S. Generally Accepted Government Auditing Standards, was not\nintended to enable the OIG to express, and we do not express an opinion on MCC\xe2\x80\x99s IT\ngovernance over its IT investments. Clifton Gunderson is responsible for the enclosed risk\nassessment report and the conclusions expressed therein. However, our review disclosed\nno instances that Clifton Gunderson did not comply, in all material respects, with applicable\nstandards.\n\nTo address the weaknesses reported by Clifton Gunderson, OIG is making the following\nrecommendations to MCC\xe2\x80\x99s management:\n\n   Recommendation 1: We recommend that the Millennium Challenge Corporation\n   Chief Information Officer update the information technology strategic plan to reflect\n   current enterprise strategic goals.\n\n   Recommendation 2: We recommend that the Millennium Challenge Corporation\n   Chief Information Officer develop and implement a formal process for managing risk\n   and updating the information technology strategic plan accordingly.          Risk\n   management must drive enterprise architecture decisions, providing secure\n   information system environments for critical applications. The plan should be\n   reviewed at a minimum annually and when major events occur that have an impact\n   on strategic goals. When updating the information technology strategic plan the\n   Chief Information Officer should verify compliance with the Office of Management\n   and Budget Circular No. A-130, Management of Federal Information Systems, with\n   regard to the capital planning and investment control process which includes the\n   information resource management strategic plan and the information technology\n   capital plan which is required to be updated twice yearly.\n\n   Recommendation 3: We recommend that the Millennium Challenge Corporation\n   Chief Information Officer complete the enterprise information architecture planning\n   and implementation project as discussed in the Executive Level Notional OCIO 2\n   Year Portfolio in order to maintain an information architecture that reflects the\n   business requirements.\n\n   Recommendation 4: We recommend that the Millennium Challenge Corporation\n   Chief Information Officer develop and implement a project plan for leveraging data as\n   indicated in the authoritative data source process and methodology in order to\n   provide business users access to detailed information to aid in analysis and decision\n   making.\n\n   Recommendation 5: We recommend that the Millennium Challenge Corporation\n   Chief of Staff develop and implement a formal process that must be consistently\n   applied for the Enterprise Architecture Steering Committee to prioritize information\n   technology-enabled investment programs.\n\n   Recommendation 6: We recommend that the Millennium Challenge Corporation\n   Chief of Staff formally document and implement a process requiring the Enterprise\n   Architecture Steering Committee to consider risk management when discussing\n   strategic direction and approval of information technology investments.\n\x0c                                         -3-\n\nRecommendation 7: We recommend that Millennium Challenge Corporation Chief\nInformation Officer (1) conduct an analysis to determine whether the information\ntechnology function has sufficient resources to adequately support the business\ngoals and objectives of the organization and (2) through the organization's budgeting\nprocess, submit a written request for additional resources to address any shortfalls\nidentified in the analysis.\n\nRecommendation 8: We recommend that the Millennium Challenge Corporation\nDeputy Chief Financial Officer revise the budget policy and procedures to account for\nthe change from line item budgeting to project budgeting.\n\nRecommendation 9: We recommend that the Millennium Challenge Corporation\nChief Information Officer develop a process and implement a tool for monitoring\nproject plans and work completed to determine earned value, providing an early\nwarning of performance issues impacting project budgets.\n\nRecommendation 10: We recommend that the Millennium Challenge Corporation\nChief Information Officer define quality requirements, criteria, and key performance\nindicators for evaluation of quality management for key information technology\nprocesses.\n\nRecommendation 11: We recommend that the Millennium Challenge Corporation\nChief Information Officer identify and document standards, procedures, and practices\nfor key information technology processes to guide the Agency in defining and\nevaluating criteria for quality management.\n\nRecommendation 12: We recommend that the Millennium Challenge Corporation\nChief Information Officer implement a process to incorporate the following\ncomponents into its projects:\n\n\xe2\x80\xa2   A project governance structure that includes the roles, responsibilities, and\n    accountabilities of various key players in project management.\n\xe2\x80\xa2   Project sponsors assigned for the execution of each project.\n\xe2\x80\xa2   Project office and project manager.\n\xe2\x80\xa2   Elements such as approving the initiation of phases, communicating to all\n    stakeholders the status of projects, establishing an integrated project plan,\n    project quality plan, and defining the responsibilities of project team members.\n\xe2\x80\xa2   Project risk management through the process of planning, identifying, analyzing,\n    responding to, monitoring and controlling risk.\n\xe2\x80\xa2   Project change control.\n\xe2\x80\xa2   Lessons learned.\n\x0c                                        -4-\n\nRecommendation 13: We recommend that the Millennium Challenge Corporation\nChief Information Officer implement a process to verify that risk management plans\nand Exhibit 300 business cases are consistently used, monitored and updated\nannually for all information technology projects as required.\n\nRecommendation 14: We recommend that the Millennium Challenge Corporation\nChief Information Officer finalize and implement the system development life cycle.\n\nRecommendation 15: We recommend that the Millennium Challenge Corporation\nChief Information Officer develop and implement a policy to fully address the\nmaintenance of software applications.\n\nRecommendation 16: We recommend that the Millennium Challenge Corporation\nChief Information Officer develop and implement a process for ensuring the\nintegration of software into the current infrastructure is properly planned and\nexecuted.\n\nRecommendation 17: We recommend that the Millennium Challenge Corporation\nDirector of Contracting develop and implement information technology acquisition\ninstructions that provide a methodology to evaluate the components of information\ntechnology acquisition contracts.\n\nRecommendation 18: We recommend that the Millennium Challenge Corporation\nChief Information Officer develop and implement a process to ensure end user\ntesting and evaluation of developed applications.\n\nRecommendation 19: We recommend that the Millennium Challenge Corporation\nChief Information Officer develop and implement a process to ensure personnel are\ntrained in the use of developed applications.\n\nRecommendation 20: We recommend that the Millennium Challenge Corporation\nChief Information Officer document and implement policies and procedures for data\nconversion, testing of applications and infrastructure migration.\n\nRecommendation 21: We recommend that the Millennium Challenge Corporation\nDirector of Contracting develop and implement a process to enforce the creation of\nservice level agreements for all endeavors requiring contract support.\n\nRecommendation 22: We recommend that the Millennium Challenge Corporation\nDirector of Contracting develop and implement a process for periodic review and\nfeedback of performance for all contractors to improve service delivery and support\nearly detection of potential problems.\n\x0c                                            -5-\n\n   Recommendation 23: We recommend that the Millennium Challenge Corporation\n   Chief Information Officer develop and implement a monitoring process to ensure that\n   all information technology projects are provided a priority level commensurate with\n   the direction and goals of the Agency as a whole, not with the goals of individual\n   leaders within the Agency.\n\nBased on Clifton Gunderson\xe2\x80\x99s evaluation of MCC\xe2\x80\x99s comments, OIG agrees with the\nmanagement decisions reached on Recommendations 17, 21, and 22. However, MCC\ncould not reach management decisions for the remaining 20 recommendations because\nMCC has not determined target dates for completing the planned actions. Please provide\ntarget dates to address the remaining 20 recommendations within 6 months of the date of\nthis report.\n\nThe OIG appreciates the cooperation and courtesies extended to our staff and to the staff of\nClifton Gunderson.\n\n\n                                                   Sincerely,\n\n                                                       /s/\n\n                                                   Alvin A. Brown\n                                                   Assistant Inspector General\n                                                   Millennium Challenge Corporation\n\n\n\ncc:\nSteven M. Kaufmann, Chief of Staff\nVictoria B. Wassmer, Vice President, Department of Administration and Finance\nDennis Lauer, Chief Information Officer\nDennis E. Nolan, Deputy Chief Financial Officer\nJim R. Blades, Director of Contracting\nArlene McDonald, Compliance Officer\n\x0c                                           \xcf\x84\n\n\xce\x911\n\n\n\n      RISK ASSESSMENT OF THE MILLENNIUM CHALLENGE\n   CORPORATION\xe2\x80\x99S INFORMATION TECHNOLOGY GOVERNANCE\n      OVER ITS INFORMATION TECHNOLOGY INVESTMENTS\n\n                            May 13, 2011\n\n\n\n\n4250 N. Fairfax Drive\nSuite 1020\nArlington, Virginia 22203\ntel: 571-227-9500\nfax: 571-227-9552\nwww.cliftoncpa.com\n\x0cCONTENTS\nSUMMARY OF RESULTS .............................................................................................................. 1\xc2\xa0\nRISK ASSESSMENT RESULTS .................................................................................................... 4\xc2\xa0\n   PLAN AND ORGANIZE (PO) ....................................................................................................................... 4\xc2\xa0\n   DELIVER AND SUPPORT (DS) .................................................................................................................. 21\xc2\xa0\n   MONITOR AND EVALUATE (ME) ............................................................................................................ 25\xc2\xa0\nRISK ASSESSMENT CONCLUSION ........................................................................................... 30\xc2\xa0\nEVALUATION OF MANAGEMENT COMMENTS........................................................................ 31\xc2\xa0\nSCOPE AND METHODOLOGY.................................................................................................... 32\xc2\xa0\n   SCOPE ...................................................................................................................................................... 32\xc2\xa0\n   METHODOLOGY ...................................................................................................................................... 32\xc2\xa0\nMANAGEMENT COMMENTS ...................................................................................................... 37\xc2\xa0\nCOBIT MATURITY MODEL MEASURMENT CRITERIA............................................................. 47\xc2\xa0\nMAPPING NIST 800-53 REV 3 WITH COBIT 4.1 ........................................................................ 69\xc2\xa0\n\x0cSUMMARY OF RESULTS\nThe Millennium Challenge Corporation (MCC) was created by the U.S. Congress in\nJanuary 2004. MCC is an independent U.S. foreign aid agency that is helping lead the\nfight against global poverty. A relatively small organization, MCC currently employs\napproximately 300 personnel, including 7 IT personnel plus contractor support.\nClifton Gunderson (CG) LLP was engaged by the Assistant Inspector General (AIG) for\nthe Millennium Challenge Corporation (MCC) to conduct a risk assessment of MCC\xe2\x80\x99s\ninformation technology (IT) governance over its IT investments. IT governance provides\nthe structure that links IT processes, resources and information to enterprise strategies\nand objectives. The objectives are to (1) align IT with the business, enable the business,\nand maximize resources; (2) use IT resources responsibly; and (3) appropriately\nmanage IT risks.\nOur risk assessment focused on MCC\xe2\x80\x99s governance process related to selecting,\nmanaging and controlling its IT investments. The outcome of our assessment was to\nidentify weaknesses in controls that could impact MCC\xe2\x80\x99s ability to align IT risk with the\nenterprise risk management framework, correlate IT objectives with business objectives,\nset the tone from the top, make risk based business decisions, and manage IT\ninvestments in a manner that is perceived as a value in supporting business initiatives.\nThe objective of the assessment was to answer the following question:\n    What are MCC\xe2\x80\x99s risks for selecting, managing and controlling its information\n    technology investments?\nOur assessment resulted in a scorecard for capturing measurements and provides a\nview of areas where risks may arise in achieving organizational goals and identifying\nareas for improvement. We determined that MCC\xe2\x80\x99s IT governance processes for the\nselected IT governance areas ranged from maturity level ratings of Initial/Ad hoc through\nManaged and Measurable. Weaknesses in MCC\xe2\x80\x99s IT governance processes may\nincrease IT project costs, lengthen deployment, and deliver solutions that do not satisfy\nbusiness needs. Closing these control gaps will help ensure MCC achieves maximum\nbenefit from developing an appropriate level of IT governance and control.\nThe scorecard below summarizes the results of the review:\n\n\n\n\n                                                                                        1\n\x0c          Millennium Challenge Corporation IT Governance Over its IT Investments\n                                        SCORECARD\n      Control Objectives for Information and related Technology (COBIT) Maturity Model\n\n\n\n\n                                                                                                  2 - Repeatable but\n                                                                             1 - Initial/Ad-Hoc\n\n\n\n\n                                                                                                                                     4 - Managed and\n                                                      0 - Non-existent\n\n\n\n\n                                                                                                                                                           5 - Optimized\n                                                                                                                                     Measurable\n                                                                                                                       3 - Defined\n                                                                                                                       Process\n                                                                                                  Intuitive\nMaturity Level\nPlanning and Organization\nPO1                 Define a Strategic Plan                                                                               X\nPO2                   Define the Information\n                                                                                                      X\n                      Architecture\nPO4                   Define the IT Processes,\n                      Organization and                                                                X\n                      Relationships\nPO5                   Manage the IT Investment                                                                            X\nPO8                   Manage Quality                                     X\nPO10                  Manage Projects                                                                 X\nAcquire and Implement\n                   Acquire and Maintain\nAI2                                                                      X\n                   Application Software\n                   Acquire and Maintain\nAI3                                                                                                   X\n                   Technology Infrastructure\nAI5                   Procure IT Resources                                                                                X\n                      Install and Accredit\nAI7                                                                                                   X\n                      Solutions and Changes\nDeliver and Support\nDS1                 Define and Manage Service\n                                                                                                                          X\n                    Levels\nDS2                 Manage Third Party\n                                                                                                                                         X\n                    Services\nDS10                Manage Problems                                                                                                      X\nMonitor and\nEvaluate\nME1                   Monitor and Evaluate IT\n                                                                                                                          X\n                      Performance\nME3                   Ensure Compliance with\n                                                                                                                                         X\n                      External Requirements\nME4                   Provide IT Governance                                                           X\n\n\n                                                                                                                                                       2\n\x0cIn addition to identifying the levels of maturity for several areas, we also identified key\nrisk areas, including:\n   \xe2\x80\xa2   MCC has not developed and implemented a process for updating its IT Strategic\n       Plan to reflect current enterprise strategic goals;\n   \xe2\x80\xa2   MCC has not developed and implemented a process for ensuring risk\n       assessments are performed for all IT projects or continuous monitoring of project\n       risk is occurring;\n   \xe2\x80\xa2   MCC has not completed the enterprise architecture planning and implementation\n       project in order to reflect current business requirements;\n   \xe2\x80\xa2   MCC has not consistently prioritized IT-enabled investment programs to ensure\n       all IT projects are provided a priority level commensurate with the direction and\n       goals of the Agency as a whole; and\n   \xe2\x80\xa2   MCC has not consistently implemented a project governance structure containing\n       the necessary elements to ensure a disciplined project management process.\nTo address the issues noted above, the report documents both recommendations and\nsuggestions. The recommendations are in support of opportunities for improvement\ndeemed to be of highest priority to close control gaps. The suggestions are deemed to\nbe of lesser priority for ensuring best practices are achieved. The twenty-three\nrecommendations and seventeen suggestions are documented within the discussion\nregarding each COBIT control area assessed.\nIn finalizing the report, we received and considered MCC\xe2\x80\x99s response to the draft risk\nassessment report and the recommendations included therein. In its comments, MCC\nconcurred with all of the recommendations, but could not yet provide timelines to\naddress 20 of the 23 recommendations. MCC plans to complete the timelines by\nJuly 31, 2011.       We agree with MCC\xe2\x80\x99s management decisions to address\nrecommendations 17, 21, and 22.\nThe detailed risk assessment results are discussed in the next section. Appendix I\ndescribes the assessment\xe2\x80\x99s scope and methodology. Appendix II contains MCC\xe2\x80\x99s\nmanagement comments without attachments.\n\n\n\n\n                                                                                         3\n\x0cRISK ASSESSMENT RESULTS\nPlan and Organize (PO)\nStrategic Planning\nThe Millennium Challenge Corporation (MCC) maintains an enterprise portfolio of IT-\nenabled investments in the form of the Executive Level Notional OCIO Two Year\nPortfolio. The portfolio provides a high level view of the milestones, dependencies,\ndecision points and status of each of the IT projects. In addition, an Information\nSystems Strategic Plan has been developed covering FY08 through FY10 which focuses\non realigning performance goals and resources to support a business centric, portfolio\nmanagement approach. Goals, sub-goals and performance objectives for infrastructure,\nstrategy, systems and capacity are discussed. The Plan outlines the portfolio\nmanagement process, prioritization of projects, budgeting and the acquisition strategy.\nHowever, the strategic planning process does not include the development of long range\nplans as the basis for building the IT Strategic Plan. In addition, MCC has not developed\nand implemented a formal process for managing risk and updating the Strategic Plan\naccordingly. As a result, the plan has not been maintained and is currently out of date.\nAccording to the CIO, the plan is not properly aligned with core business requirements\nsince those requirements have changed over the life of the document. In addition, the\nplan does not tactically address achievement of the strategic goals. A revised plan is\nbeing developed and is scheduled for completion by March of 2011. In addition, MCC is\nbeginning to address risk responsibility at the enterprise level by the newly created\nposition, Senior Investment and Risk Officer under the direction of the Chief Executive\nOfficer (CEO).\nIT Processes, Organization and Relationships\nMCC has implemented an Enterprise Architecture Steering Committee (EASC) which\nestablishes a process for reciprocal involvement in strategic planning. The EASC aims\nto align and integrate IT strategies with MCC's business objectives. The EASC charter\noutlines the three basic tenets of the committee: 1) the EASC should be jointly chaired\nby a business executive and a technical representative; 2) the EASC is an advisory and\nimplementation body to the Information Management Committee; and 3) direct\ncommunication between the EASC team and all levels in the implementation oversight\nand review process is expected as a means of exchanging information and building\ntrust. The EASC is charged with establishing both project managers and business\nsponsors of all major Information Technology investments above a $300,000 threshold.\nAlthough the committee provides oversight, a formal process is not in place for the\nEASC to prioritize IT-enabled investment programs. Initially, little attention was given to\nthe EASC; however, the entrance of the new Chief of Staff has increased its use,\neffectiveness and frequency of meetings. A Senior Investment and Risk Officer has\nrecently been hired to focus on risks associated with the program functions. While this\nperson is not a member of the EASC, increased focus on risk management by the EASC\nhas begun through the leveraging of the risk methodology and templates established by\nthe Risk Office.\n\n\n\n                                                                                         4\n\x0cWe observed that the reporting line of the CIO does not reflect the importance of IT\nwithin the Agency. The CIO has a dotted reporting line to the CEO and a direct line to\nthe CFO. Although the EASC is tasked with providing governance for IT projects and\nthe CIO has begun assigning a project manager to monitor projects, there are situations\nin which the priorities of the CIO may conflict with the priorities of the CFO. This\nstructure has also led to the IT function lacking resources to adequately support the\nbusiness goals and objectives. The CIO conducted a benchmarking study this year to\ndetermine the appropriate levels of funding within the IT budget, which should assist in\nthe appropriate level of IT staff needed. The benchmarking study indicated that MCC is\non the low end of IT spending. Over a three year period, MCC has averaged 10%\nversus comparable agencies at 11% to 20%. IT resources include both full time\nequivalent employees and contractors. (We are not making a recommendation to\naddress the position of the Chief Information Officer within the organizational structure.\nA recommendation was opened from a prior audit 1 and has subsequently been closed\nby the OIG 2 .)\nMCC has a process in place to ensure both MCC employees and contract personnel\nwho support the IT function know and comply with MCC\xe2\x80\x99s policies for protection of the\norganization\xe2\x80\x99s information assets. In addition, security requirements are outlined in\ncontracts and contract personnel are required to comply with the same personnel\nsecurity background requirements as MCC employees. However, for the resources\navailable, skill inventories of both IT and business resources are not documented to\nsupport staffing for IT projects. Skill inventories would allow project managers to staff\nprojects with the most appropriate subject matter experts throughout the organization.\nFinally, in addition to the relationship the IT function maintains with the EASC, MCC has\ndeveloped a communication and liaison structure between the IT function and various\nother interests outside the IT function, such as the Office of Inspector General (OIG), the\nOffice of Management and Budget (OMB) and the Audit Committee. These relationships\nhelp the CIO ensure an understanding and focus on Federal requirements and process\nimprovements.\nDefining the Information Architecture\nMCC has developed and implemented a data classification scheme, which provides a\nconsistent approach for describing, categorizing and employing MCC data in a standard\nand consistent manner across the Agency. Core data is used across all of MCC.\nCommon data is used across two working groups or divisions and distinct data is used\nwithin one working group or division. In addition, data has been classified according to\nprotection requirements. An enterprise data dictionary or Data Reference Model (DRM)\nis being completed and is on track for completion by September 2011. This will promote\na common understanding of data among IT and business users and allow for the sharing\nof data elements among applications and systems. The DRM is part of an overall\nEnterprise Content Management strategy that MCC is in the process of initiating to\nformalize the organization and storage of data. The approach for the DRM is based on\n\n1\n  Audit of the Millennium Challenge Corporations Implementation of Key Components of a\nPrivacy Program for Its Information Technology Systems (Report No. M-000-10-003-P, July 10,\n2010).\n2\n  Memorandum from Assistant Inspector General: Closure of Audit Recommendations 1 and 2 for\nthe Audit of the Millennium Challenge Corporation\xe2\x80\x99s Implementation of Key Components of a\nPrivacy Program for Its Information Technology Systems (Audit Report No. M-000-10-003-P).\n\n                                                                                         5\n\x0cthe Federal Enterprise Architecture, an initiative of the U.S. Office of Management and\nBudget that intends to comply with the Clinger-Cohen Act and affords a common\nmethodology for information technology acquisition.\nMCC is currently constructing the basic framework of an enterprise architecture lifecycle\nas documented in the Executive Level Notional OCIO 2 Year Portfolio, starting with the\nBusiness Reference Model and Data Reference Model. The enterprise information\narchitecture project should assist MCC in further aligning resources to increase business\nperformance and facilitate MCC carrying out its mission. A methodology for leveraging\ninformation through data warehouse and data mining technologies has been determined\nbut implementation will not commence until the data dictionary is completed and the\nECM project is at a maturity level that would allow for leveraging data.\nManaging the IT Investment\nMCC has established a detailed manual for IT budget formulation policy and procedures\nand a budget for IT projects has been established which includes the prioritization of\nrequested activities. A quarterly budget review is performed to refine budgeting\nrequirements based on the status of projects and changing priorities. The decision-\nmaking process for prioritizing the allocation of IT resources is based on value and risk\nas documented in the IT Strategic Plan; however, it is not consistently applied. For\nexample, the highest priority set by IT is the General Support System followed by IT\nsecurity; however, the process for prioritizing projects established by the business units\nhas not been established. Recently, the budgeting process was modified from line item\nbudgeting to a project based approach. The IT Budget Formulation Policy and\nProcedure manual has not been updated to reflect this change. Currently there is no\nclear line of site between budgeting for IT projects and monitoring of project plans in\norder to determine earned value and provide early warning of performance issues\nimpacting project budgets.\nManaging Quality\nA Quality Management System (QMS) defines the organizational structure for quality\nmanagement, covering the roles, tasks and responsibilities. In addition, standards,\nprocedures and practices for key IT processes including development and acquisitions\nthat follow the life cycle of the deliverable should be documented and maintained. The\nquality of IT services provided at MCC is tracked through an informal quality\nmanagement process. MCC utilizes quality satisfaction surveying which results in\nimprovement if issues arise. A QMS that identifies quality requirements and criteria, and\nmonitors performance against these requirements and criteria for continuous\nimprovement of IT services is not in place. In addition, MCC has not documented\nstandards, procedures and practices for key IT processes.\nManaging Projects\nMCC utilizes a portfolio tracker to monitor the status of major IT projects. Individuals\nresponsible for managing IT projects are required to obtain project management\ncertification. However, MCC does not have a project governance structure in place that\nestablishes elements such as a project office, project manager, project sponsors, or\nsteering committee for each project. Additionally, all IT projects do not have the benefit\nof an assigned sponsor with sufficient authority to own the execution of the project within\nthe overall strategic program.        Responsibilities, relationships, authorities, and\nperformance criteria of project team members are not defined and the basis for acquiring\n\n\n                                                                                         6\n\x0cand assigning competent staff members and/or contractors to projects is not specified.\nAlthough MCC's contracts include Service Level Agreements (SLAs), its project\nmanagement approach does not identify key criteria in which project performance of\ncontractors may be measured. The primary stakeholder of projects is usually the\nbusiness; however, the definition and execution of projects is typically not obtained. The\ninitiation of each major project phase is not approved. In addition, there is no review or\nacceptance of deliverables of the previous phase nor approval of an updated business\ncase at the next major review of the program. This is the result of lack of consistent\nproject communication with all stakeholders. Although MCC tracks the status of specific\nmilestones on the portfolio tracker, project stakeholders are not required to ascertain\nwhether the project delivered the planned results and benefits. In addition, lessons\nlearned are not documented for use on future projects and programs. The lack of a\nformal project management structure, including planning, identifying, analyzing,\nresponding to, monitoring and controlling risk, has lead to inconsistent application of\nmanagement practices for IT projects.\nThe summary of observations identified in the review as well as the assessed COBIT\nMaturity Level Ranking and recommendations are provided as follows:\n\n\nCOBIT PO1 - Define a Strategic Plan\nObserved Best Practices\n1. MCC maintains an enterprise portfolio of IT-enabled investments. The Executive\n   Level Notional OCIO Two Year Portfolio provides a high level view of the milestones,\n   dependencies, decision points and status for each of the IT projects.\n\n2. MCC has implemented the Enterprise Architecture Steering Committee (EASC)\n   which establishes a process for reciprocal involvement in strategic planning.\n\n3. An IT Strategic Plan covering FY08 through FY10 was developed which focused on\n   realigning its performance goals and resources to support a business centric,\n   portfolio management approach.\n\nOpportunities for Improvement\n1. MCC has not developed and implemented a formal process for managing risk.\n\n2. MCC has not developed and implemented a formal process for updating the IT\n   Strategic Plan to reflect current enterprise strategic goals.\n3. The strategic planning process does not include the development of tactical plans to\n   aid in the achievement of the strategic goals or the development of long range plans\n   in order to plan for accomplishing a set of goals over a longer period of time.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 3 \xe2\x80\x93 Defined\nCOBIT Definition - A policy defines when and how to perform IT strategic planning. IT\nstrategic planning follows a structured approach that is documented and known to all\nstaff. The IT planning process is reasonably sound and ensures that appropriate\n\n                                                                                        7\n\x0cplanning is likely to be performed. However, discretion is given to individual managers\nwith respect to implementation of the process, and there are no procedures to examine\nthe process. The overall IT strategy includes a consistent definition of risks that the\norganization is willing to take as an innovator or follower. The IT financial, technical and\nhuman resources strategies increasingly influence the acquisition of new products and\ntechnologies. IT strategic planning is discussed at business management meetings.\nRecommendations\n1. We recommend that the Millennium Challenge Corporation Chief Information Officer\n   update the Information Technology Strategic Plan to reflect current enterprise\n   strategic goals.\n\n2. We recommend that the Millennium Challenge Corporation Chief Information Officer\n   develop and implement a formal process for managing risk and updating the\n   Information Technology Strategic Plan accordingly. Risk management must drive\n   enterprise architecture decisions, providing secure information system environments\n   for critical applications. The plan should be reviewed at a minimum annually and\n   when major events occur that have an impact on strategic goals. When updating the\n   Information Technology Strategic Plan the Chief Information Officer should verify\n   compliance with the Office of Management and Budget Circular No. A-130,\n   Management of Federal Information Systems, with regard to the capital planning and\n   investment control process which includes the Information Resource Management\n   Strategic Plan and the Information Technology Capital Plan which is required to be\n   updated twice yearly.\n\nSuggestions\n1. We suggest that the Millennium Challenge Corporation Chief Information Officer\n   incorporate tactical planning into the strategic planning process by breaking the\n   strategic plan down into short term actions and plans. A tactical plan contains a list\n   of deliverables, a schedule, resources, a budget and a mapping of how it will be\n   completed.\n\n2. We suggest that the Millennium Challenge Corporation Chief Information Officer\n   develop long range plans as the basis for building the Information Technology\n   Strategic Plan.\n\n\nCOBIT PO2 - Define the Information Architecture\nObserved Best Practices\n1. MCC has developed and implemented a data classification scheme, which provides\n   a consistent approach for describing, categorizing and employing MCC data in a\n   standard and consistent manner across the Agency.\n\n2. The Enterprise Data Dictionary or Data Reference Model (DRM) is being completed\n   and is on track for completion by spring 2011 which will promote a common\n   understanding of data among IT and business users and allow for the sharing of data\n\n                                                                                          8\n\x0c   elements among applications and systems. The DRM is part of an overall Enterprise\n   Content Management (ECM) strategy that MCC is in the process of initiating.\n\nOpportunities for Improvement\n1. An enterprise information architecture project, as documented in the Executive Level\n   Notional OCIO 2 Year Portfolio, is in early stages and needs to be completed in\n   order to further align resources to increase business performance and facilitate MCC\n   carrying out its mission.\n\n2. A methodology for leveraging information (i.e., data warehouse or data mining\n   technologies) has been determined but implementation will not commence until the\n   Enterprise Content Management (ECM) project is at a maturity level to provide\n   business users access to detailed information to aid in analysis and decision making.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 2 \xe2\x80\x93 Repeatable but Intuitive\nCOBIT Definition - An information architecture process emerges and similar, though\ninformal and intuitive, procedures are followed by different individuals within the\norganization. Staff obtain their skills in building the information architecture through\nhands-on experience and repeated application of techniques. Tactical requirements\ndrive the development of information architecture components by individual staff\nmembers.\nRecommendations\n3. We recommend that the Millennium Challenge Corporation Chief Information Officer\n   complete the enterprise information architecture planning and implementation project\n   as discussed in the Executive Level Notional OCIO 2 Year Portfolio in order to\n   maintain an information architecture that reflects the business requirements.\n4. We recommend that the Millennium Challenge Corporation Chief Information Officer\n   develop and implement a project plan for leveraging data as indicated in the\n   authoritative data source process and methodology so as to provide business users\n   access to detailed information to aid in analysis and decision making.\n\n\nCOBIT PO4 - Define the IT Processes, Organizations and Relationships\nObserved Best Practices\n1. MCC has established an Enterprise Architecture Steering Committee, clearly\n   indicating key positions and roles and responsibilities of the committee.\n\n2. Risk responsibility at the enterprise level is beginning to be addressed by the newly\n   created position, Senior Investment and Risk Officer under the direction of the Chief\n   Executive Officer.\n\n3. MCC has conducted a benchmarking study to determine the appropriate levels of\n   funding within the IT budget, which should ultimately assist in the determination of\n   the appropriate level of IT staff needed.\n\n                                                                                      9\n\x0c4. MCC has processes in place for ensuring that consultants and contract personnel\n   who support the IT function know and comply with MCC\xe2\x80\x99s policies for the protection\n   of the organization\xe2\x80\x99s information assets.\n\n5. MCC has developed a communication and liaison structure between external entities\n   such as the OMB, OIG, External Audit Committee, and private companies.\n\nOpportunities for Improvement\n1. A formal process is not in place for the EASC to prioritize IT-enabled investment\n   programs. Additionally, the EASC has not formally implemented a process to focus\n   on risk management considerations.\n\n2. The IT function is not contingent on the importance of IT within the enterprise.\n   Furthermore, the reporting line of the CIO does not reflect the importance of IT. The\n   CIO may have limited power in ensuring IT projects are provided a priority level\n   commensurate with the direction and goals of the Agency as a whole.\n\n3. Skill inventories are not available to support project staffing.\n\n4. The IT function does not have sufficient resources to adequately support the\n   business goals and objectives.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 2 \xe2\x80\x93 Repeatable but Intuitive\nCOBIT Definition - The IT function is organized to respond tactically, but inconsistently,\nto customer needs and vendor relationships. The need for a structured organization and\nvendor management is communicated, but decisions are still dependent on the\nknowledge and skills of key individuals. There is an emergence of common techniques\nto manage the IT organization and vendor relationships.\nRecommendations\n5. We recommend that the Millennium Challenge Corporation Chief of Staff develop\n   and implement a formal process for the Enterprise Architecture Steering Committee\n   to prioritize Information Technology-enabled investment programs which must be\n   consistently applied.\n\n6. We recommend that the Millennium Challenge Corporation Chief of Staff formally\n   document and implement a process requiring the Enterprise Architecture Steering\n   Committee to consider risk management when discussing strategic direction and\n   approval of information technology investments.\n\n7. We recommend that Millennium Challenge Corporation Chief Information Officer\n   (1) conduct an analysis to determine whether the information technology function has\n   sufficient resources to adequately support the business goals and objectives of the\n   organization and (2) through the organization's budgeting process, submit a written\n   request for additional resources to address any shortfalls identified in the analysis.\n\n\n\n                                                                                       10\n\x0cSuggestions\n3. We suggest that the Millennium Challenge Corporation Chief Information Officer and\n   the MCC Chief Financial Officer develop skill inventories to support staffing for\n   Information Technology projects to include both Information Technology and\n   business resources.\n\n\nCOBIT PO5 - Manage the IT Investment\nObserved Best Practices\n1. MCC has established a detailed manual for IT budget formulation policy and\n   procedures.\n\n2. MCC establishes a budget for IT projects. A quarterly budget review is performed to\n   refine budgeting requirements based on the status of projects and changing\n   priorities.\n\n3. MCC has documented a decision-making process to prioritize the allocation of IT\n   resources.\n\nOpportunities for Improvement\n1. The MCC budget process recently changed from line item budgeting to project\n   budgeting (i.e., balance sheet line item vs. MIDAS project), however the budget\n   policy and procedures manual does not reflect this change.\n\n2. There is not a clear line of site between the IT budget and project tracking to\n   determine earned value.\n\n3. The decision-making process to prioritize the allocation of IT resources is not\n   consistently applied. A process for determining the priority for projects established by\n   the business units has not been established.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 3 \xe2\x80\x93 Defined\nCOBIT Definition - Policies and processes for investment and budgeting are defined,\ndocumented and communicated, and cover key business and technology issues. The IT\nbudget is aligned with the strategic IT and business plans. The budgeting and IT\ninvestment selection processes are formalized, documented and communicated. Formal\ntraining is emerging but is still based primarily on individual initiatives. Formal approval\nof IT investment selections and budgets is taking place. IT staff members have the\nexpertise and skills necessary to develop the IT budget and recommend appropriate IT\ninvestments.\n\n\n\n\n                                                                                         11\n\x0cRecommendations\n8. We recommend that the Millennium Challenge Corporation Deputy Chief Financial\n   Officer revise the budget policy and procedures to account for the change from line\n   item budgeting to project budgeting.\n\n9. We recommend that the Millennium Challenge Corporation Chief Information Officer\n   develop a process and implement a tool for monitoring project plans and work\n   completed to determine earned value, providing an early warning of performance\n   issues impacting project budgets.\n\nSuggestions\n4. We suggest that the Millennium Challenge Corporation Chief Information Officer\n   develop a process to consistently implement the decision-making process to\n   prioritize the allocation of Information Technology resources.\n\n\nCOBIT PO8 - Manage Quality\nObserved Best Practices\n1. MCC utilizes quality satisfaction surveying which results in improvement actions to\n   address issues.\n\nOpportunities for Improvement\n1. A Quality Management System (QMS) that identifies quality requirements and\n   criteria, and monitors performance against these requirements and criteria for\n   continuous improvement of IT services is not in place.\n\n2. Standards, procedures, and practices for key IT processes have not been identified\n   and documented. Key IT processes include development and acquisitions that\n   follow the life cycle of the deliverable.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 1 \xe2\x80\x93 Initial/Ad Hoc\nCOBIT Definition - There is a management awareness of the need for a QMS. The QMS\nis driven by individuals where it takes place. Management makes informal judgments on\nquality.\nRecommendations\n10. We recommend that the MCC Chief Information Officer (CIO) define quality\n    requirements, criteria and key performance indicators for evaluation of quality\n    management for key Information Technology processes.\n\n11. We recommend that the MCC Chief Information Officer (CIO) identify and document\n    standards, procedures, and practices for key Information Technology processes to\n    guide the Agency in defining and evaluating criteria for quality management.\n\n\n                                                                                   12\n\x0cCOBIT PO10 - Manage Projects\nObserved Best Practices\n1. MCC utilizes a portfolio tracker to track the status of major IT projects.\n\n2. MCC requires project managers to obtain project management certification.\n\nOpportunities for Improvement\n1. MCC does not consistently apply formalized project management practices for all IT\n   projects. Examples include:\n\n       a. The project governance structure does not establish elements such as a\n          project office, project manager, and project sponsors for all projects;\n\n       b. The project management approach does not identify key criteria in which\n          project performance may be measured;\n\n       c. Project stakeholders are not required to ascertain whether the project\n          delivered the planned results and benefits;\n\n       d. The initiation of each major project phase is inconsistently approved, which\n          may result in the lack of review or acceptance of deliverables in the previous\n          phases;\n\n       e. The responsibilities, authorities, and performance criteria of project members\n          are not defined.\n\n       f.   Lessons learned are not documented for use on future projects and programs\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 2 \xe2\x80\x93 Repeatable but Intuitive\nCOBIT Definition - Senior management gains and communicates an awareness of the\nneed for IT project management. The organization is in the process of developing and\nutilizing some techniques and methods from project to project. IT projects have\ninformally defined business and technical objectives. There is limited stakeholder\ninvolvement in IT project management. Initial guidelines are developed for many aspects\nof project management. Application of project management guidelines is left to the\ndiscretion of the individual project manager.\nRecommendations\n12. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    implement a process to incorporate the following components into its projects:\n\n            a. A project governance structure that includes the roles, responsibilities,\n               and accountabilities of various key players in project management.\n\n            b. Project sponsors assigned for the execution of each project.\n\n\n                                                                                     13\n\x0cc. Project office and project manager.\n\nd. Elements such as approving the initiation of phases, communicating to all\n   stakeholders the status of projects, establishing an integrated project\n   plan, project quality plan, and defining the responsibilities of project team\n   members.\n\ne. Project risk management through the process of planning, identifying,\n   analyzing, responding to, monitoring and controlling risk.\n\nf.   Project change control.\n\ng. Lessons learned.\n\n\n\n\n                                                                             14\n\x0cAcquire and Implement (AI)\nAcquiring Application Software and Technology Infrastructure\nMCC has drafted a System Development Life Cycle (SDLC) plan to guide development\nprojects and help ensure the applications developed meet desired business needs.\nHowever, the SDLC has not been implemented. The SDLC Implementation Guide\nincludes roles and responsibilities and describes each of the phases of the system\ndevelopment lifecycle including: Initiation, System Concept Development, Planning,\nRequirements, Design, Development, Integration and Test, Implementation, Operations\nand Maintenance, and Disposition. The SDLC methodology will be used for all major\ninformation technology development projects which have been defined in legislation as\nmeeting one or more of the following: (1) the estimated total cost of development equals\nor exceeds $1 million; (2) the project is undertaken to support a critical business\nfunction; or (3) the Enterprise Architecture Steering Committee/CIO determines that the\nproject requires the special attention and consideration given to a major information\ntechnology development project. For other changes to the MCC IT environment,\nincluding software and hardware, review and approval is required by the MCC Change\nControl Board (CCB). The CCB approval process is designed for acquisitions less than\n$300,000, and is typically for non-standard software requirements requested by users.\nApplications and projects of a higher cost are managed by the Enterprise Architecture\nSteering Committee (EASC). Per the EASC Charter, the EASC is responsible for\nestablishing project managers and business sponsors for all major information\ntechnology investments above a $300,000 threshold. An Integrated Business Team\n(IPT) is responsible for defining business requirements and functions as well as detailed\ndesign documents, which are reviewed and approved by the EASC.\nMCC addresses the initial risk management of procurements through the use of Risk\nManagement Plans and Exhibit 300 business cases. However, these have not been\nconsistently used, monitored and updated annually where procurements are occurring\noutside of the guidance of the Office of the Chief Information Officer. Although the\nSDLC Implementation Guide briefly discusses security and risk management, detailed\npolicies and procedures regarding how application security, availability, and risks are\nmanaged when procuring an IT asset are not documented. In addition, MCC has not\ndeveloped and implemented a policy to address the need to automate controls in\nprocured software.\nAcquisition, implementation and maintenance of the technological infrastructure are not\nconsistently in line with the established functional and technical requirements due to the\nIT Strategic Plan not being updated to align with MCC\xe2\x80\x99s strategy. MCC completed a\nTool Gap Analysis and Strategy Plan to determine whether Enterprise Content\nManagement (ECM) platforms and tools are meeting business requirements and\nperformed benchmarking to determine the tools best suited for MCC. The tools and\napplications reviewed were those specifically designed and used for Content\nManagement (CM), Business Process Management (BPM), and Records Management\n(RM). The outcome of the analysis pinpointed gaps where the current ECM tools are not\naligned with business requirements. This information will be used to establish the\ncourse of action necessary to align the required business tools with Enterprise\nArchitecture efforts.\n\n\n\n\n                                                                                       15\n\x0cInstalling and Accrediting Solutions\nThe Agency currently ensures that newly acquired systems are accredited and performs\nevaluations of implemented systems through Independent Verification & Validation\nAssessments (IV&V). For example, MCC completed a post production review of MCC\xe2\x80\x99s\nIntegrated Data Analysis System (MIDAS), launched in March 2009, through an IV&V.\nHowever, there were several issues noted related to integration, testing and installation\nof new systems. MCC has not documented policies and procedures for data conversion,\ntesting of applications, and infrastructure migration of new systems. Integration of\nacquired software is not always considered and planned during design and testing\nphases. In addition, MCC has not consistently evaluated whether user requirements\nhave been met and personnel are not adequately trained in the use of developed\napplications. This has led to systems, such as MIDAS, entering production that are\nunsatisfactory to users and require additional cost and support to function within the\ntechnology infrastructure.\nApplication and Technology Infrastructure Maintenance\nMaintenance and security of the technological infrastructure is outsourced to contractors\nas a cost saving measure. The contracts in place include performance metrics for\nmaintaining the patching program.        MCC has also implemented infrastructure\nvulnerability scanning to assist with patch management. However, MCC does not\ncurrently have a strategy in place to fully address the maintenance of software\napplications. IT has not been involved in the project management of all software\napplications to ensure that software maintenance was considered in the long term\napplication strategy. The SDLC Implementation Guide describes the operations and\nmaintenance phase of the software development life cycle; however, detailed policies\nand procedures have not been documented.\nProcuring IT Resources\nThe agency relies largely on contractors for systems development projects. Many of the\nissues previously discussed related to installing systems were due to contractors not\nmeeting contractual obligations such as testing and end user training. These problems\nmay be prevented if performance monitoring of contracts is consistently occurring.\nProcedures for establishing, modifying, and terminating contracts for suppliers are\ndocumented in the Contracting Operations Manual (COM), which is MCC\xe2\x80\x99s interpretation\nof the Federal Acquisition Regulations (FAR). Specifically, the COM provides clarifying\nlanguage or interpretation of the FAR where further definition is required or where\nvariations are required to meet the needs of MCC. Components of the COM include\nlegal review, performance monitoring, security and debarment, suspension and\nineligibility of contracts. The agency utilizes a Technical Evaluation Panel to ensure best\nfit based on specified requirements. Although the FAR and COM are utilized to guide IT\nacquisition, MCC does not have a formalized process in place to evaluate that all\ncomponents of IT acquisition have been considered. For example, performance metrics,\nintellectual Property considerations, and contractual requirements are not consistently\ndiscussed during the IT acquisition process. Additionally, there is no process in place to\nensure compliance with the policies and procedures such as post award and ongoing\ncontract compliance reviews.\nThe summary of observations identified in the review as well as the assessed COBIT\nMaturity Level Ranking and recommendations are provided as follows:\n\n\n                                                                                        16\n\x0cCOBIT AI2 - Acquire and Maintain Application Software\nObserved Best Practices\n1. A Change Control Board (CCB) monitors applications, including software and\n   hardware changes. The approval process is designed for applications that are less\n   than $300K and are typically for non-standard software requirements requested by\n   users.\n\n2. An Enterprise Architecture Steering Committee (EASC) manages higher cost\n   Information Technology projects. Per the Charter, the EASC is \xe2\x80\x9ccharged with\n   establishing both project managers and business sponsors of all major Information\n   Technology investments above a $300,000 threshold.\xe2\x80\x9d\n\n3. MCC has drafted a Software Development Life Cycle (SDLC) to guide its\n   development projects that will help ensure that the applications developed meet\n   desired business needs.\n\nOpportunities for Improvement\n1. Risk management plans and Exhibit 300 business cases are not consistently used\n   and monitored where procurements are occurring outside of the Office of the Chief\n   Information Officer.\n\n2. MCC has not implemented the documented System Development Life Cycle (SDLC).\n\n3. MCC has not addressed the need to automate controls in procured software.\n\n4. The agency does not have a policy for how application security, availability, and risks\n   are managed when procuring an IT asset.\n\n5. MCC does not have a strategy in place to fully address the maintenance of software\n   applications.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 1 \xe2\x80\x93 Initial/Ad Hoc\nCOBIT Definition - There is an awareness that a process for acquiring and maintaining\napplications is required. Approaches to acquiring and maintaining application software\nvary from project to project. Some individual solutions to particular business\nrequirements are likely to have been acquired independently, resulting in inefficiencies\nwith maintenance and support.\nRecommendations\n13. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    implement a process to verify that risk management plans and Exhibit 300 business\n    cases are consistently used, monitored and updated annually for all Information\n    Technology projects as required.\n\n\n\n                                                                                       17\n\x0c14. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    finalize and implement the System Development Life Cycle.\n\n15. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a policy to fully address the maintenance of software\n    applications.\n\nSuggestions\n5. We suggest that the Millennium Challenge Corporation Chief Information Officer\n   develop and implement a policy to address the need to automate controls in\n   procured software.\n\n6. We suggest that the Millennium Challenge Corporation Chief Information Officer\n   develop and implement a policy for managing application security, availability, and\n   risks when procuring an Information Technology Asset.\n\n\nCOBIT AI3 - Acquire and Maintain Technology Infrastructure\nObserved Best Practices\n1. MCC outsources the management of infrastructure and security components as a\n   cost saving measure.\n\n2. MCC has implemented infrastructure vulnerability scanning to assist with patch\n   management.\n\n3. MCC completed a Tool Gap Analysis and Strategy Plan to determine whether\n   platforms and tools are meeting business requirements and performed\n   benchmarking to determine the tools best suited for MCC.\n\nOpportunities for Improvement\n1. Integration of software into the current infrastructure is not consistently regarded in\n   design or testing.\n\n2. Acquisition, implementation and maintenance of the technological infrastructure is\n   not consistently in line with the established business functional and technical\n   requirements.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 2 \xe2\x80\x93 Repeatable but Intuitive\nCOBIT Definition - There is a consistency among tactical approaches when acquiring\nand maintaining the IT infrastructure. Acquisition and maintenance of IT infrastructure\nare not based on any defined strategy and do not consider the needs of the business\napplications that must be supported. There is an understanding that the IT infrastructure\nis important, supported by some formal practices. Some maintenance is scheduled, but\nit is not fully scheduled and co-ordinated. For some environments, a separate test\nenvironment exists.\n\n                                                                                       18\n\x0cRecommendations\n16. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a process for ensuring the integration of software into the\n    current infrastructure is properly planned and executed.\n\nSuggestions\n7. We suggest that the Millennium Challenge Corporation Chief Information Officer\n   develop and implement a plan for aligning the acquisition, implementation and\n   maintenance of the technological infrastructure with business requirements as\n   defined by the revised Information Technology Strategic Plan.\n\n\nCOBIT AI5 - Procure IT Resources\nObserved Best Practices\n1. Procedures exist for establishing, modifying, and terminating contracts for suppliers.\n   Components include legal review, performance monitoring, security and debarment,\n   suspension and ineligibility of contracts.\n\n2. A Technical Evaluation Panel is used to establish a formal practice to ensure best fit\n   for suppliers based on specified requirements.\n\nOpportunities for Improvement\n1. MCC has not formalized a process to evaluate that all components of IT acquisition\n   (i.e., metrics, intellectual property considerations, contract requirements) have been\n   addressed.\n\n2. MCC does not have a process in place to ensure compliance with policies and\n   procedures for IT Acquisition prior to reviews conducted by appropriate parties, such\n   as the Legal Department, the Managing Director, etc.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 3 \xe2\x80\x93 Defined\nCOBIT Definition - Management institutes policies and procedures for IT acquisition.\nPolicies and procedures are guided by the business organization\xe2\x80\x99s overall procurement\nprocess. IT acquisition is largely integrated with overall business procurement systems.\nIT standards for the acquisition of IT resources exist. Suppliers of IT resources are\nintegrated into the organization\xe2\x80\x99s project management mechanisms from a contract\nmanagement perspective. IT management communicates the need for appropriate\nacquisitions and contract management throughout the IT function.\nRecommendations\n17. We recommend that the Millennium Challenge Corporation Director of Contracting\n    develop and implement Information Technology Acquisition instructions that provide\n\n\n\n                                                                                      19\n\x0c   a methodology to evaluate the components of Information Technology acquisition\n   contracts.\n\nSuggestions\n8. We suggest that the Millennium Challenge Corporation Director of Contracting\n   develop and implement a process for ensuring compliance with policies and\n   procedures for Information Technology acquisition.\n\n\nCOBIT AI7 - Install and Accredit Solutions and Changes\nObserved Best Practices\n1. MCC ensures that developed systems are accredited.\n\n2. MCC performed a post-production review of an IT investment through an\n   Independent Verification and Validation Assessment.\n\nOpportunities for Improvement\n1. MCC has not consistently implemented a standardized and measurable approach for\n   evaluating whether user requirements have been met, which may lead to systems\n   entering production that are unsatisfactory to users and management.\n\n2. MCC has not ensured that personnel are trained in the use of developed\n   applications.\n\n3. MCC does not have documented policies and procedures for data conversion,\n   testing of applications, and infrastructure migration.\n\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 2 \xe2\x80\x93 Repeatable but Intuitive\nCOBIT Definition - There is some consistency amongst the testing and accreditation\napproaches, but typically they are not based on any methodology. The individual\ndevelopment teams normally decide the testing approach, and there is usually an\nabsence of integration testing. There is an informal approval process.\nRecommendations\n18. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a process to ensure end user testing and evaluation of\n    developed applications.\n\n19. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a process to ensure personnel are trained in the use of\n    developed applications.\n\n20. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    document and implement policies and procedures for data conversion, testing of\n    applications and infrastructure migration.\n\n                                                                                 20\n\x0cDeliver and Support (DS)\nDefining and Managing Third Party Services\nA risk management strategy to identify and monitor information service providers is\napplied. Business requirements have been established and are used to determine\nwhether skills are needed through contracting services. As such, MCC has categorized\nall critical information system suppliers, and contracts are in place with each supplier.\nThe contracts document roles and responsibilities, goals, expected deliverables, and\ncredentials of representatives of these suppliers. A formal process for reviewing\ncontracts with suppliers at pre-defined intervals, such as at invoicing and exercising of\noption years, has been implemented.\nWithin each IT services contract, business requirements are documented. In addition,\nservice level agreements (SLAs) have been developed and defined for critical IT third\nparty service providers. Monitoring of the SLAs has been implemented, with the\nexception of services provided for the MIDAS application. For one key contract, an\naward fee/bonus is available in addition to the fixed price schedule. In the case of\nnonperformed or unsatisfactory work, MCC may deduct from the vendor\xe2\x80\x99s invoice all\namounts associated with such unsatisfactory or non-performed work or allow the\ncontractor to re-perform the work within a reasonable period subject to the discretion of\nthe Contracting Officer Technical Representative.          For other vendors, MCC\ncommunicates issues and requests correction; however, there is no connection between\nservice level agreement requirements and compensation. Additionally, MCC does not\nhave formalized procedures for resolving contractor performance shortfalls as was\nevident with the MIDAS project. Implementing periodic review and feedback of\nperformance for all contractors should improve service delivery and support early\ndetection of potential problems.\nManaging Problems\nTier-one support is provided through a third-party organization, CSC, and we noted that\na process is in place for reporting, classifying, tracking and remediating problems\nthrough this contract. A formal process is implemented to close problem records after\nsuccessfully confirming the elimination of any known errors. Systems have been\nequipped with automatic detection or warning mechanisms which are continuously\ntracked and evaluated. In addition, bandwidth utilization and router availability are\ntracked and reported. Analysis is performed to determine the root cause of issues\nidentified and monthly meetings are held with CSC senior management to discuss areas\nfor improvement or efficiencies.\nHowever, MCC has not evolved the problem management process into a proactive one\nthat can anticipate and prevent problems or ensure that knowledge regarding patterns of\npast and future problems is maintained through regular communication with vendors and\nexperts. Likewise, a means of producing continuous improvement based on analysis of\nproblem management performance measures is not a mature practice yet.\nThe summary of observations identified in the review as well as the assessed COBIT\nMaturity Level Ranking and recommendations are provided as follows:\n\n\n\n\n                                                                                      21\n\x0cCOBIT DS1 - Define and Manage Service Levels\nObserved Best Practices\n1. Business requirements have been established and are used to determine whether\n   skills are needed through contracting services. Business requirements have been\n   documented in each IT services contract.\n2. Service levels have been developed and defined for critical IT services with some\n   third party service providers.\nOpportunities for Improvement\n1. MCC does not have service level agreements for the contracts associated with\n   MIDAS.\n2. MCC does not have formalized procedures for resolving performance shortfalls of\n   contractors.\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 3 \xe2\x80\x93 Defined\nCOBIT Definition - Responsibilities are well defined, but with discretionary authority. The\nSLA development process is in place with checkpoints for reassessing service levels\nand customer satisfaction. Services and service levels are defined, documented and\nagreed-upon using a standard process. Service level shortfalls are identified, but\nprocedures on how to resolve shortfalls are informal. There is a clear linkage between\nexpected service level achievement and the funding provided. Service levels are agreed\nto, but they may not address business needs.\nRecommendations\n21. We recommend that the Millennium Challenge Corporation Director of Contracting\n    develop and implement a process to enforce the creation of service level agreements\n    for all endeavors requiring contract support.\nSuggestions\n9. We suggest that the Millennium Challenge Corporation Director of Contracting\n   formalize procedures on resolving performance shortfalls of contractors.\n\n\nCOBIT DS2 - Manage Third Party Services\nObserved Best Practices\n1. All critical suppliers have been identified.\n2. Contracts are in place with all suppliers.\n3. Monitoring of SLAs with some third party service providers is implemented.\n4. For one contract, defined reporting of service level achievement is linked to\n   compensation.\n5. Contracts with suppliers are reviewed at predefined intervals.\n\n\n                                                                                        22\n\x0c6. A risk management strategy is in place for all contracts.\nOpportunities for Improvement\n1. Defined reporting of service level achievement is not linked to compensation for all\n   third-party service providers such as the services provided for the MIDAS application\n   and for information security systems services.\n2. Periodic review and feedback of performance is not implemented for all contractors\n   to improve service delivery and support early detection of potential problems.\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 4 \xe2\x80\x93 Managed and Measurable\nCOBIT Definition - Formal and standardized criteria are established for defining the\nterms of engagement, including scope of work, services/deliverables to be provided,\nassumptions, schedule, costs, billing arrangements and responsibilities. Responsibilities\nfor contract and vendor management are assigned. Vendor qualifications, risks and\ncapabilities are verified on a continual basis. Service requirements are defined and\nlinked to business objectives. A process exists to review service performance against\ncontractual terms, providing input to assess current and future third-party services.\nTransfer pricing models are used in the procurement process. All parties involved are\naware of service, cost and milestone expectations. Agreed-upon goals and metrics for\nthe oversight of service providers exist.\nRecommendations\n22. We recommend that the Millennium Challenge Corporation Director of Contracting\n    develop and implement a process for periodic review and feedback of performance\n    for all contractors to improve service delivery and support early detection of potential\n    problems.\nSuggestions\n10. We suggest that the Millennium Challenge Corporation Director of Contracting verify\n    that all contracts, prior to award include linkage of reporting of service level\n    achievement to compensation. For contracts already in place, we recommend that\n    MCC include linkage of reporting of service level achievment to compensation upon\n    renewal.\n\n\nCOBIT DS10 - Manage Problems\nObserved Best Practices\n1. A process is in place for reporting, classifying, tracking and remediating problems\n   through the CSC contract.\n2. A process is in place for detecting system issues including warning mechanisms for\n   early detection.\n3. Analysis is performed to determine the root cause of issues identified and monthly\n   meetings are held with CSC senior management to discuss areas for improvement\n   or efficiencies.\n\n\n                                                                                         23\n\x0cOpportunities for Improvement\n1. MCC has not evolved the problem management process into a proactive one that\n   can anticipate and prevent problems.\n2. MCC does not consistently maintain knowledge regarding patterns of past and future\n   problems through regular contacts with vendors and experts.\n3. MCC does not have a process in place to ensure continuous improvement based on\n   analysis of problem management performance measures.\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 4 \xe2\x80\x93 Managed and Measurable\nCOBIT Definition - The problem management process is understood at all levels within\nthe organization. Responsibilities and ownership are clear and established. Methods\nand procedures are documented, communicated and measured for effectiveness. The\nmajority of problems are identified, recorded and reported, and resolution is initiated.\nKnowledge and expertise are cultivated, maintained and developed to higher levels, as\nthe function is viewed as an asset and major contributor to the achievement of IT\nobjectives and improvement of IT services. Problem management is well integrated with\ninterrelated processes, such as incident, change, availability and configuration\nmanagement, and assists customers in managing data, facilities and operations. Goals\nand metrics have been agreed upon for the problem management process.\nSuggestions\n11. We suggest that the Millennium Challenge Corporation Chief Information Officer\n    evaluate and update the problem management process to include processes for\n    proactively anticipating and preventing future problems.\n12. We suggest that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a formal process for maintaining knowledge regarding\n    patterns of past and future problems affecting the Agency through regular contacts\n    with vendors and experts.\n13. We suggest that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a continuous improvement process based on analysis of\n    problem management performance measures.\n\n\n\n\n                                                                                     24\n\x0cMonitor and Evaluate (ME)\nMonitoring and Evaluating Performance\nMCC has established the Enterprise Architecture Steering Committee (EASC) for\nmonitoring large IT investment projects above a $300,000 threshold and utlizes a\nportfolio tracker to track the status of major IT projects. However, all IT projects and\nprocesses have not been regularly monitored by OCIO due to the reporting structure of\nthe CIO which has, in the past, given priority to projects sponsored by the CFO, rather\nthan ensuring all IT projects are provided a priority level commensurate with the direction\nand goals of the Agency as a whole. Recently, however the CIO has implemented a\nprocess for monitoring projects by assigning a project manager to all IT projects.\nIn addition, IT Risk Management Plans and Business Cases for IT projects in the form of\nExhibit 300s are not consistently used to set performance targets. The Exhibit 300\nrequires documentation of the agency's mission, strategic goals, and performance\nmeasures (indicators). On the other hand, OCIO has implemented and is monitoring\nperformance targets with the business in the form of the Service Level Agreements\n(SLAs) documented in the CSC contract.         Monitoring these SLAs provides a\nmeasurement of how well the information services function is contributing to the\nperformance of the organization.\nEnsuring Compliance with External Requirements\nMCC OCIO has processes in place to identify applicable laws and regulations that must\nbe complied with for incorporation into the IT policies, standards, procedures and\nmethodologies. With regard to information security, OCIO has a process in place to\nassist with ensuring compliance with the Federal Information Security Management Act\n(FISMA). With respect to managing IT investment projects, individuals charged with\nmanaging projects or contracts are required to have project management certificates or\ncertifications for Contracting Officer Technical Representative (COTR) as specified by\nthe Office of Management and Budget (OMB). Concerning acquisitions of IT resources\nand investments, MCC follows the Federal Acquisition Regulations (FAR). However,\nMCC does not have a process in place to monitor compliance with external requirements\nto ensure consistency. In addition, MCC does not have a process in place to review and\nadjust policies to ensure they comply with external requirements. For example, MCC\ndoes not have policies for adapting the FAR Part 39, Acquisition of Information\nTechnology, to the Agency including assessing, monitoring and controlling risk when\nselecting projects for investment and during program implementation. Developing and\nimplementing a program management office with oversight over compliance issues may\nassist the MCC OCIO in ensuring compliance with regulatory requirements and\ncompliance with internal policies and procedures.\nProviding IT Governance\nThe Enterprise Architecture Steering Committee (EASC) is a governance body that is in\nplace to provide strategic direction to management relative to information Technology\ninvestments and the MCC CIO regularly reports to senior management regarding the\nprogress of IT projects. IT project risk is initially assessed and documented through the\nuse of Exhibit 300s. However, risk assessments for IT projects are inconsistently\nperformed and there is no process in place for continuous monitoring of project risk,\nincluding the annual update of the Exhibit 300, as required by the Office of Management\n\n                                                                                        25\n\x0cand Budget (OMB). In addition to the EASC, governance over IT processes is also\nachieved through audits and reviews performed by the Office of Inspector General\n(OIG).\nMCC has developed baseline IT Governance indicators in the IT Strategic Plan, for\nexample establishing the Enterprise Architecture Steering Committee, maintaining\nFISMA compliance, and completing and approving risk assessments and OMB Exhibit\n300s for IT projects. Although baseline governance indicators have been developed, a\nprocess has not been implemented for monitoring and reporting on key governance\nperformance indicators leading to enterprise improvements.\nThe summary of observations identified in the review as well as the assessed COBIT\nMaturity Level Ranking and recommendations are provided as follows:\n\n\nCOBIT ME1 - Monitor and Evaluate Performance\nObserved Best Practices\n1. MCC has established an Enterprise Architecture Steering Committee for monitoring\n   IT projects above a $300,000 threshold with senior management involvement and\n   utlizes a portfolio tracker to track status of major IT projects.\n2. MCC has established performance targets within the business and is monitoring\n   those targets on a monthly basis.\nOpportunities for Improvement\n1. IT Risk Management Plans and Business Cases for IT projects are not consistently\n   used to set performance targets.\n2. All IT projects and processes had not been regularly monitored by OCIO due to the\n   reporting structure of the CIO which had and could continue to give priority to\n   projects sponsored by the CFO.\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 3 \xe2\x80\x93 Defined\nCOBIT Definition - Management communicates and institutes standard monitoring\nprocesses. Educational and training programs for monitoring are implemented. A\nformalized knowledge base of historical performance information is developed.\nAssessment is still performed at the individual IT process and project level and is not\nintegrated amongst all processes. Tools for monitoring IT processes and service levels\nare defined. Measurements of the contribution of the information services function to the\nperformance of the organization are defined, using traditional financial and operational\ncriteria. IT-specific performance measurements, non-financial measurements, strategic\nmeasurements, customer satisfaction measurements and service levels are defined. A\nframework is defined for measuring performance.\nRecommendations\n23. We recommend that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a monitoring process to ensure that all Information\n    Technology projects are provided a priority level commensurate with the direction\n\n                                                                                      26\n\x0c   and goals of the Agency as a whole, not with the goals of individual leaders within\n   the Agency.\nSuggestions\n14. We suggest that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a review process to verify the use of Information Technology\n    Risk Management Plans and Business cases to ensure that performance targets are\n    established for each Information Technology project.\n\n\nCOBIT ME3 - Ensure Compliance with External Requirements\nObserved Best Practices\n1. MCC identifies the external laws and requirements that must be complied with on a\n   continuous basis.\n2. MCC has implemented a process to assist in ensuring compliance with the Federal\n   Information Security Management Act (FISMA).\n3. MCC follows federal guidelines, the Federal Acquisition Regulations (FAR), for\n   acquisitions.\n4. Individuals charged with managing projects or contracts are required to have project\n   management certificates or certifications for Contracting Officer Technical\n   Representative as specified by the Office of Management and Budget (OMB).\nOpportunities for Improvement\n1. MCC does not have a process in place to review and adjust policies to ensure they\n   comply with external requirements.\n2. There is no program management office to monitor compliance with external\n   requirements.\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 4 \xe2\x80\x93 Managed and Measureable\nCOBIT Definition - Issues and exposures from external requirements and the need to\nensure compliance at all levels are fully understood. A formal training scheme is in place\nto ensure that all staff members are aware of their compliance obligations.\nResponsibilities are clear and process ownership is understood. The process includes a\nreview of the environment to identify external requirements and ongoing changes. There\nis a mechanism in place to monitor non-compliance with external requirements, enforce\ninternal practices and implement corrective action. Non-compliance issues are analyzed\nfor root causes in a standard manner, with the objective to identify sustainable solutions.\nStandardized internal good practices are utilized for specific needs, such as standing\nregulations and recurring service contracts.\n\n\n\n\n                                                                                        27\n\x0cSuggestions\n15. We suggest that the Millennium Challenge Corporation Director of Contracting in\n    collaboration with the Chief Information Officer develop and implement a process to\n    review and adjust policies on a regular basis to ensure they comply with external\n    requirements.\n   16. We suggest that the Millennium Challenge Corporation Chief Information Officer\n       and the MCC Director of Contracting develop and implement a program\n       management program to monitor compliance with external requirements.\n\n\n\n\nCOBIT ME4 - Provide IT Governance\nObserved Best Practices\n1. MCC obtains independent assurance of its IT environment through audits and\n   reviews by the Office of Inspector General (OIG).\n2. The Chief Information Officer regularly reports to senior management regarding the\n   progress of IT projects.\n3. A governance body (Enterprise Architecture Steering Committee) is in place to\n   provide strategic direction to management relative to IT.\n4. IT project risk is initially assessed and documented through the use of Exhibit 300s.\n5. MCC has developed baseline IT Governance indicators in the IT Strategic Plan, for\n   example establishing the Enterprise Architecture Steering Committee, maintaining\n   FISMA compliance, and completing and approving risk assessments and OMB\n   Exhibit 300s for IT projects.\nOpportunities for Improvement\n1. Risk assessments for IT projects are inconsistently performed and there is no\n   process in place for continuous monitoring of project risk, including the annual\n   update of the Exhibit 300, as required by the Office of Management and Budget\n   (OMB).\n2. Although baseline governance indicators have been developed a process has not\n   been implemented for the monitoring and reporting on performance indicators\n   leading to enterprise improvements.\nMaturity Level Ranking and Definition as Defined by COBIT\nMaturity Level: 2 \xe2\x80\x93 Repeatable but Intuitive\nCOBIT Definition - There is awareness of IT governance issues. IT governance activities\nand performance indicators, which include IT planning, delivery and monitoring\nprocesses, are under development. Selected IT processes are identified for\nimprovement based on individuals\xe2\x80\x99 decisions. Management identifies basic IT\ngovernance measurements and assessment methods and techniques; however the\nprocess is not adopted across the organization. Communication on governance\nstandards and responsibilities is left to the individual. Individuals drive the governance\n\n                                                                                       28\n\x0cprocesses within various IT projects and processes. The processes, tools and metrics to\nmeasure IT governance are limited and may not be used to their full capacity due to a\nlack of expertise in their functionality.\nRecommendations\nSee Recommendation 13\nSuggestions\n17. We suggest that the Millennium Challenge Corporation Chief Information Officer\n    develop and implement a process for monitoring and reporting on baseline\n    performance indicators to assist with continuous process improvement.\n\n\n\n\n                                                                                    29\n\x0cRISK ASSESSMENT\nCONCLUSION\nAs MCC continues to select and manage its information technology investments, it is\nimportant to have a formal process in place to manage risk. This will assist in ensuring IT\nobjectives are correlated with business objectives and IT investments are prioritized and\nmanaged to effectively support Agency initiatives. To address control gaps identified in\nMCC\xe2\x80\x99s IT governance over its information technology investments, MCC must carry out\ncorrective actions to address the recommendations made in this report. In addition, MCC\nshould consider the suggestions identified and determine a course of action for prioritizing\nand implementing the suggestions deemed appropriate according to a feasible timetable.\n\n\n\n\n                                                                                         30\n\x0c                                                                                 APPENDIX I\n\n\n\nEVALUATION OF\nMANAGEMENT COMMENTS\nIn response to the draft report, Millennium Challenge Corporation (MCC) noted\ncorrections should be made to pages five and ten of the draft report regarding\nreferences to the Chief Information Officer\xe2\x80\x99s (CIO) reporting relationship to MCC\xe2\x80\x99s Chief\nExecutive Officer. Subsequent to the delivery of the draft Risk Assessment, the Office of\nInspector General (OIG) informed MCC that the CIO\xe2\x80\x99s reporting relationship was no\nlonger an open recommendation and that the OIG recognized that MCC made a\nmanagement decision on this issue. Based on this information, modifications have been\nmade to the report to reflect the closure of the previous recommendation. We have left\nthe statement in the report because the risk was identified during our field work and the\nclosure of the finding was not reported until after delivery of the draft report. Additionally,\nsince a determination on the effectiveness of the new reporting structure has not been\nmade, we still view this as a risk.\nMCC also noted that a correction should be made regarding the completion date for the\nEnterprise Architecture Data Reference Module. In our draft, we reported a completion\ndate of Spring 2011. Per management\xe2\x80\x99s response, the Data Reference Model will not be\ncomplete until September 2011. As a result, we have updated the report to reflect the\ncorrect completion date.\nMCC management concurred with and agreed to take corrective action for each of the\n23 recommendations. However, timelines for completion have been provided for only\nthree of the recommendations. CG agrees with MCC\xe2\x80\x99s management decisions on those\nthree recommendations, discussed below.\n   \xe2\x80\xa2   For recommendation 17, management agreed to develop and implement IT\n       acquisition instructions to include a methodology for acquisition planning that\n       addresses the different components of IT acquisition contracts. The target\n       completion to fully close this recommendation is July 31, 2011.\n   \xe2\x80\xa2   For recommendation 21, management agreed to develop guidelines for\n       establishing service level agreements and requirements for including those\n       agreements in large and complex information technology contracts. The target\n       completion to fully close this recommendation is July 31, 2011.\n   \xe2\x80\xa2   For recommendation 22, management agreed to develop guidance and\n       requirements for periodic contractor performance reviews that will provide for\n       early detection of problems and improved service delivery on large and complex\n       information technology contracts, including the use of the Contract Performance\n       Assessment Rating System.          The target completion to fully close this\n       recommendation is July 31, 2011.\nFor the remaining recommendations, MCC management plans to prepare a Combined\nCorrective Action Plan by July 31, 2011. MCC management indicated that the plan will\naddress the milestones and dates associated with the remaining recommendations.\nMCC\xe2\x80\x99s management comments are included in their entirety in Appendix II.\n\n\n                                                                                            31\n\x0cSCOPE AND METHODOLOGY\nScope\nThe risk assessment was conducted in accordance with Government Auditing\nStandards, issued by the Comptroller General of the United States. In addition, our work\nin support of the risk assessment was guided by Information Technology Governance\nInstitute\xe2\x80\x99s Control Objectives for Information and related Technology (COBIT) framework\nversion 4.1. COBIT provides managers, auditors and IT users with a set of generally\naccepted measures, indicators, processes and best practices to assist them in\nmaximizing the benefits derived through the use of IT and developing appropriate IT\ngovernance and control in an organization. It provides good practices for the\nmanagement of IT processes in a manageable and logical structure, meeting the\nmultiple needs of enterprise management by bridging the gaps between business risks,\ntechnical issues, control needs and performance measurement requirements.\nIn the absence of specific federal guidance solely focused on governance over IT\ninvestments, we believe Information Technology Governance Institute\xe2\x80\x99s COBIT provides\nbest practices in helping organizations assess their governance controls. However, since\nMCC must comply with federal laws and regulations, we mapped COBIT 4.1 to National\nInstitute of Standards and Technology (NIST) 800-53 Rev 3 controls, where applicable.\nSee Appendix IV.\nWe conducted our audit at the Millennium Challenge Corporation (MCC) Headquarters\nin Washington, DC, from October 11, 2010, to January 27, 2011. To answer the\nassessment objective, we conducted interviews with MCC staff and reviewed\ndocumentation related to IT governance processes and control objectives under\nevaluation. Such documentation included the MCC IT Strategic Plan, the September\n2010 CIO Brief to the MCC Vice President, the Enterprise Architecture Steering\nCommittee Charter and meeting minutes, the IT Project Budget, the OCIO 2-Year\nPortfolio of IT projects, the OCIO Portfolio Tracking Dashboard, contracts and service\nlevel agreements for service providers, the Contracting Operations Manual (COM), the\nExhibit 300: Capital Asset Plan and Business Case Summary for the MIDAS application,\nthe current and proposed CIO organizational structure, and the CIO IT Operational\nBudget Benchmarking Report. We reviewed laws, regulations, OMB circulars and\nmemorandums, and other guidance related to the assessment objective. The objective\nof this assessment was to determine what MCC\xe2\x80\x99s risks are for selecting, managing, and\ncontrolling its information technology investments. The IT investments reviewed included\nMCC Integrated Data Analysis System (known as MIDAS), Integrated Financial and\nContract Management System (IFCMS), Enterprise Content Management (ECM), and\nadditional support contracts.\nWe reviewed laws, regulations, OMB circulars and memorandums, and other guidance\nrelated to the assessment objective. The assessment did not include risks with respect\nto security and privacy.\n\nMethodology\nOur methodology was categorized into three phases: the planning, testing (fieldwork),\n\n\n                                                                                     32\n\x0c          and reporting phases. The primary objective of the planning phase was to develop the\n          audit program and the work plan that addressed the tasks outlined in the Statement of\n          Work. The primary objective of the testing phase was to assist the MCC AIG in\n          assessing the risk assessment areas as defined below and complete the risk\n          assessment procedures as defined in the audit program. Specifically, we:\n              \xe2\x80\xa2     Evaluated and tested selected IT processes and control objectives for MCC\n                    (described in the Control Objectives for Information and related Technology\n                    (COBIT) framework version 4.1);\n              \xe2\x80\xa2     Interviewed key personnel and obtained and examined documentation related to\n                    the IT processes and control objectives under review; and\n              \xe2\x80\xa2     Assigned a maturity level to each IT process evaluated, which range from non-\n                    existent (0) to optimized (5).\n          The risk assessment methodology utilized the COBIT version 4.1, which provides a\n          mechanism for measuring how well developed management processes are in relation to\n          accepted industry standards. The use of COBIT\xe2\x80\x99s maturity model assisted us in\n          measuring performance and addressing gaps in capability in assessing the effectiveness\n          of MCC\xe2\x80\x99s IT governance practices over its IT investments.\n          The key COBIT IT governance areas we focused on are:\n\n\nIT Governance                                                                                        Standard/Best\n                          Definition                                 Importance\nArea                                                                                                 Practice\n\n\nPlan and Organize\n\n\nDefine a Strategic IT     Creating a strategic plan that defines,    Incorporating IT and business   COBIT\nPlan                      in co-operation with relevant              management in the translation\n                          stakeholders, how IT goals will            of business requirements into   PO1\n                          contribute to the enterprise\xe2\x80\x99s strategic   service offerings, and the\n                          objectives and related costs and risks     development of strategies to\n                                                                     deliver these services in a\n                                                                     transparent and effective\n                                                                     manner\n\n\nDefine the                Creating and regularly updating a          Being agile in responding to    COBIT\nInformation               business information model and             requirements, to provide\nArchitecture (MCC\xe2\x80\x99s       defining the appropriate systems to        reliable and consistent         PO2\nenterprise                optimize the use of this information       information and to seamlessly\narchitecture)                                                        integrate applications into\n                                                                     business processes\n\n\nDefine the IT             Establishing transparent, flexible and     Being agile in responding to    COBIT\nProcesses,                responsive IT organizational               the business strategy while\nOrganization and          structures and defining and                complying with governance       PO4\nRelationships (IT         implementing IT processes with             requirements and providing\ngovernance                owners, and roles and responsibilities     defined and competent points\ncommittees)               integrated into business and decision      of contact\n\n\n                                                                                                      33\n\x0cIT Governance                                                                                          Standard/Best\n                        Definition                                 Importance\nArea                                                                                                   Practice\n\n                        processes\n\n\nManage the IT           Establishing effective and efficient IT    Improving IT\xe2\x80\x99s cost-efficiency      COBIT\nInvestment              investment and portfolio decisions,        and its contribution to business\n                        and setting and tracking IT budgets in     profitability with integrated and   PO5\n                        line with IT strategy and investment       standardized services that\n                        decisions                                  satisfy end-user expectations\n\n\nManage Quality          Establishing effective ongoing             Ensuring continuous and             COBIT\n                        performance monitoring against             measurable improvement of\n                        predefined objectives and                  the quality of IT services          PO8\n                        implementing a program for                 delivered.\n                        continuous improvement of IT\n                        services\n\n\nManage Projects         Defining a program and project             Ensuring the delivery of project    COBIT\n                        management approach that is applied        results within agreed-upon\n                        to IT projects and enables                 time frames, budget and             PO10\n                        stakeholder participation in and           quality\n                        monitoring of project risks and\n                        progress\n\n\nAcquire and Implement\n\n\nAcquire and             Ensuring that there is a timely and        Aligning available applications     COBIT\nMaintain Application    cost-effective development process         with business requirements,\nSoftware                                                           and doing so in a timely            AI2\n                                                                   manner and at a reasonable\n                                                                   cost\n\n\nAcquire and             Providing appropriate platforms for        Acquiring and maintaining an        COBIT\nMaintain                the business applications in line with     integrated and standardized IT\nTechnology              the defined IT architecture and            infrastructure                      AI3\nInfrastructure          technology standards\n\n\nProcure IT              Acquiring and maintaining IT skills        Improving IT\xe2\x80\x99s cost-efficiency      COBIT\nResources               that respond to the IT strategy,           and its contribution to business\n                        integrating and standardizing IT           profitability                       AI5\n                        infrastructure, and reducing IT\n                        procurement risk\n\n\nInstall and Accredit    Testing that applications and              Implementing new or changed         COBIT\nSolutions and           infrastructure solutions are fit for the   systems that work without\nChanges                 intended purpose and free from             major problems after                AI7\n                        errors, and planning releases to           installation\n\n\n\n                                                                                                        34\n\x0cIT Governance                                                                                         Standard/Best\n                       Definition                                  Importance\nArea                                                                                                  Practice\n\n                       production\n\n\nDeliver and Support\n\n\nDefine and Manage      Identifying service requirements,           Ensuring the alignment of key      COBIT\nService Levels         agreeing on service levels and              IT services with the business\n                       monitoring achievement of service           strategy                           DS1\n                       levels\n\n\nManage Third-party     Establishing relationships and              Providing satisfactory third-      DS2\nServices               bilateral responsibilities with qualified   party services while being\n                       third-party service providers and           transparent about benefits,\n                       monitoring the service delivery to          costs and risks\n                       verify and ensure adherence to\n                       agreements\n\n\nManage Problems        Recording, tracking and resolving           Ensuring end users\xe2\x80\x99                COBIT\n                       operational problems; investigating         satisfaction with service\n                       the root cause of all significant           offerings and service levels,      DS10\n                       problems; and defining solutions for        and reducing solution and\n                       identified operations problems              service delivery defects and\n                                                                   rework\n\n\nMonitor and Evaluate\n\n\nMonitor and            Monitoring and reporting process            Transparency and                   COBIT\nEvaluate IT            metrics and identifying and                 understanding of IT cost,\nPerformance            implementing performance                    benefits, strategy, policies and   ME1\n                       improvement actions                         service levels in accordance\n                                                                   with governance requirements\n\n\nEnsure Compliance      Identifying all applicable laws,            Ensuring compliance with           COBIT\nwith External          regulations and contracts and the           laws, regulations and\nRequirements           corresponding level of IT compliance        contractual requirements           ME3\n                       and optimizing IT processes to\n                       reduce the risk of non-compliance\n\n\nProvide IT             Preparing board reports on IT               Integrating IT governance with     COBIT\nGovernance             strategy, performance and risks, and        corporate governance\n                       responding to governance                    objectives                         ME4\n                       requirements in line with board\n                       directions\n\n\n         The COBIT maturity model is based on evaluating and rating an organization on maturity\n         levels of non-existent (0) to optimized (5).\n\n                                                                                                       35\n\x0cWe performed a process maturity evaluation using the following COBIT maturity levels:\n\n 0     Non-Existent: There is a complete lack of any recognizable processes. The\n       organization has not even recognized there is an issue to be addressed.\n\n 1     Initial/Ad hoc: There is evidence that the organization has recognized that\n       issues exist and need to be addressed. There are, however, no standardized\n       processes, but instead, there are ad hoc approaches that tend to be applied on\n       an individual or case-by-case basis. The overall approach to management is\n       disorganized.\n\n 2     Repeatable but Intuitive: Processes have developed to the stage where\n       similar procedures are followed by different people undertaking the same task.\n       There is no formal training or communication of standard procedures, and\n       responsibility is left to the individual. There is a high degree of reliance on the\n       knowledge of individuals, and therefore, errors are likely.\n\n 3     Defined Process: Procedures have been standardized and documented, and\n       communicated through training. It is mandated that these processes should be\n       followed; however, it is unlikely that deviations will be detected. The procedures\n       themselves are not sophisticated, but are the formalization of existing practices.\n\n 4     Managed and Measureable: Management monitors and measures compliance\n       with procedures and takes action where processes appear not to be working\n       effectively. Processes are under constant improvement and provide good\n       practice. Automation and tools are used in a limited or fragmented way.\n\n 5     Optimized: Processes have been refined to a level of good practice, based on\n       the results of continuous improvement and maturity modeling with other\n       enterprises. IT is used in an integrated way to automate the workflow, providing\n       tools to improve quality and effectiveness, making the enterprise quick to adapt.\nThe COBIT maturity model for each IT governance area assessed is included in\nAppendix III.\n\n\n\n\n                                                                                        36\n\x0c                                                                              APPENDIX II\n\n\n\nMANAGEMENT COMMENTS\n\n\n\n\nApril 29, 2011\n\nTo: Alvin Brown\nOffice of Inspector General\nMillennium Challenge Corporation\n\nFrom: Dennis Lauer, CIO /s/\nMillennium Challenge Corporation\n875 Fifteenth Street NW\nWashington, DC 20005\n\nREF: MCC Request for extension and notice of final action memorandum dated 3/25/2011\n\nSubject: MCC Combined Management Response for the MCC's Implementation of Selected\nKey Project Controls for the MCC Integrated Data Analysis System (MIDAS) (M-000-11-\n002-P) and draft Risk Assessment of MCC's Information Technology (IT) Governance over\nits IT Investments (M-000-11-00X-P)\n\nDear Mr. Brown:\n\nThe Millennium Challenge Corporation (MCC) appreciates the opportunity to further address\nthe audit of MCC's Implementation of Selected Key Project Controls for MIDAS and the\ndraft Risk Assessment of MCC's Information Technology Governance over its IT\nInvestments.\n\nBefore addressing the specific recommendations in the Risk Assessment, MCC notes that\ncorrections should be made to pages five and ten of the draft report regarding references to\nthe Chief Information Officer's (CIO) reporting relationship to MCC's Chief Executive\nOfficer (CEO). Specifically, these references state that the CIO's dotted line reporting\nrelationship to the CEO does not reflect the level of importance of IT issues within MCC.\nSubsequent to the issuance of this draft Risk Assessment, the Office of Inspector General\n(OIG) informed MCC that the CIO's reporting relationship was no longer an open\nrecommendation and that the OIG recognized that MCC made a management decision on this\nissue. The OIG reserved the right to monitor the issue in future IT audits, but the\n\n\n                                                                                         37\n\x0c                                                                                  Appendix II\n\n\ncircumstances outlined in the MIDAS and IT governance audits predate the reporting\nrelationship change implemented by MCC. A copy of the OIG memorandum is attached.\n\nMCC understands and appreciates the important role of proper IT governance to ensure that\nIT investments are aligned and prioritized within corporate business objectives and available\ncorporate resources. Effective management is critical to deliver projects on schedule and\nwithin budget, as well as to assure that projects meet their objective. Considering that MCC\nhas only operated for seven years, the Agency already has made significant progress toward\nestablishing effective governance of IT investrnents. Specifically, a few of the steps already\ntaken to implement IT governance rigor at MCC are:\n\n   1.   Established a comprehensive IT Governance structure including the Enterprise\n        Architecture Steering Committee (EASC), a newly established Executive Advisory\n        Board (EAB), Integrated Project Teams (IPTs) and working groups for the major IT\n        project(s).\n\n   2.   Revised the EASC charter to reflect the new structure.\n\n   3.   Established a charter for the MIDAS Integrated Project Team.\n\n   4.   Established weekly project reviews by the CIO with each project manager.\n\n   5.   Developed two tools (the Executive Level tracker and the PM central task manager)\n        to manage budget, schedule and risk for IT investments.\n\n   6.   Established and filled a dedicated Program Manager position to develop and manage\n        the Combined Corrective Action Plan (CCAP).\n\n   7.   Awarded a multi-year IT Planning contract to provide the incremental technical\n        support required to execute the corrective action plan.\n\nWhile MCC concurs with the 23 IT Governance recommendations and the 9 MIDAS audit\nrecommendations, it became apparent that we needed more time to develop a detailed CCAP.\nConsistent with the principles emphasized in the recommendations on good governance\nthorough advance planning, realistic timeframes, and the identification of requisite resources,\nMCC is ensuring that the CCAP itself reflects solid project management. As part of this\neffort MCC will review the plan with the EASC, identify resource requirements, and allocate\nbudgetary and other resources to develop and execute our corrective action plan. The current\nbudget environment and rational sequencing of the combined 32 recommendations will\nrequire MCC to prioritize and divide into implementation phases the deliverables within the\naction plan.\n\nTherefore, MCC will develop a CCAP by July 31, 2011. The CCAP will address the\nrecommendations contained in MCC'S Implementation of Selected Key Project Controls for\nMIDAS (M-000-ll-002-P) and the draft report on the Risk Assessment Of The Millennium\nChallenge Corporation's Information Technology Governance Over Its Information\nTechnology Investments (M-000-ll-00X-P).\n\n\n\n                                                                                            38\n\x0c                                                                                Appendix II\n\n\nThe CCAP will incorporate the recommendations from both documents into a cohesive\napproach and ensure the most effective use of MCC's resources. Budgetary projections\nindicate a constrained environment for the foreseeable future. As such, this CCAP will focus\non the judicious use of limited funds to achieve the greatest impact toward maturing MCC's\nIT governance processes and structure. The basic structure and consolidation objectives of\nthe MCC CCAP follow below.\n\nThe MCC CCAP will be divided into four phases. The first phase is the Systems\nDevelopment Life Cycle (SDLC) policy and procedures development and roll-out, and it will\naddress MIDAS recommendations 1, 5, 6, 7, 8, 9 and IT Governance recommendations 12,\n14, 18, 19, 20, 23. The second phase is the planning and establishment of the policies and\nprocedures for the MCC IT Program Management Office (PMO). This phase will address\nMIDAS recommendation 3 and IT Governance recommendations 1, 2, 5, 6, 7, 8, 13, 15, 16,\n17, 21, 22. The third phase is the implementation of the PMO and will address MIDAS\nrecommendation 2, 4 and IT Governance recommendations 9, 10, 11. The fourth phase is the\nevaluation and adjustment phase and it will address IT Governance recommendations 3 and\n4.\n\nCCAP Phase One:\n\nMIDAS Recommendation No. 1: Develop a detailed, written plan to establish strong project\nmanagement capabilities for IT projects.\n\nManagement Response: MCC will develop a CCAP to establish project management\ncapabilities for Information Technology projects by July 31st, 2011.\n\nMIDAS Recommendation No. 5: Develop written policies and procedures to obtain written\napproval for relying on a contractor's systems development life cycle (SDLC) methodology.\n\nManagement Response: MCC will establish a corporate SDLC policy. The milestones and\ndates associated with this deliverable will be addressed in the Combined Action Plan.\n\nMIDAS Recommendation No. 6: Develop written policies and procedures to address key\ndecision points for IT projects.\n\nManagement Response: MCC will develop SDLC procedures to address key decision\npoints for Information Technology projects. The milestones and dates associated with this\ndeliverable will be addressed in the Combined Action Plan.\n\nMIDAS Recommendation No. 7: Establish in writing what documentation must be prepared,\nupdated, and maintained for IT projects.\n\nManagement Response: MCC will develop SDLC procedures which will address the\ndocumentation necessary for maintaining IT projects. The milestones and dates associated\nwith this deliverable will be addressed in the Combined Action Plan.\n\n\n\n\n                                                                                         39\n\x0c                                                                                          Appendix II\n\n\nMIDAS Recommendation No. 8: Implement risk management, earned value management,\nand requirements management for the MIDAS project before proceeding to the development\nphase to build additional functionality for the system.\n\nManagement Response: MCC will implement risk management, earned value management\nand requirements management for the MIDAS project before proceeding to the development\nphase to build additional functionality for the system. The milestones and dates associated\nwith this deliverable will be addressed in the CCAP. The current systems to manage risk,\nearned value, and requirements for the MIDAS project will be adjusted as necessary to meet\nthe milestones and dates in the CCAP.\n\nMIDAS Recommendation No. 9: Review MCC's IT project management capabilities and\ndetermine whether its weaknesses should be reported, tracked, and monitored as a material\nweakness pursuant to the Federal Managers Financial Integrity Act of 1982.\n\nManagement Response: MCC will refer this to the Senior Assessment Board (SAB) for a\ndetermination of whether IT project management capabilities should be reported, tracked and\nmonitored as a material weakness pursuant to the Federal Managers Financial Integrity Act\nof 1982. The milestone and date associated with this deliverable will be addressed in the\nCCAP.\n\nIT Governance Recommendation No. 12: We recommend that the Millennium Challenge\nCorporation Chief Information Officer implement a process to incorporate the following\ncomponents into its projects:\n   \xe2\x80\xa2   A project governance structure that includes the roles, responsibilities, and accountabilities of\n       various key players in project management.\n   \xe2\x80\xa2   Project sponsors assigned for the execution of each project.\n   \xe2\x80\xa2   Project office and project manager.\n   \xe2\x80\xa2   Elements such as approving the initiation of phases, communicating to all stakeholders the\n       status of projects, establishing an integrated project plan, project quality plan, and defining\n       the responsibilities of project team members.\n   \xe2\x80\xa2   Project risk management through the process of planning, identifying, analyzing, responding\n       to, monitoring and controlling risk.\n   \xe2\x80\xa2   Project change control.\n   \xe2\x80\xa2   Lessons learned.\n\nManagement Response: MCC will incorporate these components into Information\nTechnology (IT) projects with the implementation of a systems development life cycle. The\nmilestones and dates associated with this deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 14: We recommend that the Millennium Challenge\nCorporation Chief Information Officer finalize and implement the system development life\ncycle.\n\nManagement Response: MCC's CIO will finalize and implement the SDLC. The milestones\nand dates associated with this deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 18: We recommend that the Millennium Challenge\n\n\n                                                                                                    40\n\x0c                                                                                 Appendix II\n\n\nCorporation Chief Information Officer develop and implement a process to ensure end user\ntesting and evaluation of developed applications.\n\nManagement Response: MCC's CIO will develop and implement a process to ensure end\nuser testing and evaluation of developed applications with the implementation of the systems\ndevelopment life cycle. The milestones and dates associated with this deliverable will be\naddressed in the CCAP.\n\nIT Governance Recommendation No. 19: We recommend that the Millennium Challenge\nCorporation Chief Information Officer develop and implement a process to ensure personnel\nare trained in the use of developed applications.\n\nManagement Response: MCC's CIO will develop and implement a process to ensure\npersonnel are trained in the use of developed applications with the implementation of the\nsystems development life cycle. The milestones and dates associated with this deliverable\nwill be addressed in the CCAP.\n\nIT Governance Recommendation No. 20: We recommend that the Millennium Challenge\nCorporation Chief Information Officer document and implement policies and procedures for\ndata conversion, testing of applications and infrastructure migration.\n\nManagement Response: MCC's CIO will document and implement policies and procedures\nfor data conversion, testing of applications and infrastructure migration with the\nimplementation of the systems development life cycle. The milestones and dates associated\nwith this deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 23: We recommend that the Millennium Challenge\nCorporation Chief Information Officer develop and implement a monitoring process to\nensure that all IT projects are provided a priority level commensurate with the direction and\ngoals of the Agency as a whole, not with the goals of individual leaders within the Agency.\n\nManagement Response: The MCC's CIO will develop and implement a monitoring process\nto ensure that all IT projects are included as part of the Enterprise IT portfolio review\nprocess. The milestones and dates associated with this deliverable will be addressed in the\nCCAP.\n\nCCAP Phase Two:\n\nMIDAS Recommendation No. 3: Develop written policies and procedures to plan for,\nmitigate, monitor, and report on risks to IT projects.\n\nManagement Response: MCC will develop an IT Project Risk Management Policy. The\nmilestone and date associated with this deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 1: We recommend that the Millennium Challenge\nCorporation Chief Information Officer update the information technology strategic plan to\nreflect current enterprise strategic goals.\n\n\n                                                                                          41\n\x0c                                                                                  Appendix II\n\n\n Management Response: MCC's CIO will update the information technology strategic plan\nto reflect current enterprise strategic goals. The milestones and dates associated with this\ndeliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 2: We recommend that the Millennium Challenge\nCorporation Chief Information Officer develop and implement a formal process for\nmanaging risk and updating the information technology strategic plan accordingly. Risk\nmanagement must drive enterprise architecture decisions, providing secure information\nsystem environments for critical applications. The plan should be reviewed at a minimum\nannually and when major events occur that have an impact on strategic goals. When updating\nthe information technology strategic plan the Chief Information Officer should verify\ncompliance with the Office of Management and Budget Circular No. A-130, Management of\nFederal Information Systems, with regard to the capital planning and investment control\nprocess which includes the information resource management strategic plan and the\ninformation technology capital plan which is required to be updated twice yearly.\n\nManagement Response: The MCC's CIO will develop and implement a formal process for\nmanaging risk and updating the information technology strategic plan accordingly. The\nmilestones and dates associated with this deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 5: We recommend that the Millennium Challenge\nCorporation Chief of Staff develop and implement a formal process that must be consistently\napplied for the Enterprise Architecture Steering Committee to prioritize information\ntechnology enabled-investment programs.\n\nManagement Response: The MCC's Chief of Staff (CoS) will develop, implement, and\nconsistently apply a formal process for the EASC to prioritize information technology-\nenabled investment programs. The milestones and dates associated with this deliverable will\nbe addressed in the CCAP.\n\nIT Governance Recommendation No. 6: We recommend that the Millennium Challenge\nCorporation Chief of Staff formally document and implement a process requiring the\nEnterprise Architecture Steering Committee to consider risk management when discussing\nstrategic direction and approval of information technology investments.\n\nManagement Response: MCC's CoS will formally document and implement a process\nrequiring the EASC to consider risk management when discussing strategic direction and\napproval of information technology investments. The milestones and dates associated with\nthis deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 7: We recommend that Millennium Challenge\nCorporation Chief Information Officer (1) conduct an analysis to determine whether the\ninformation technology function has sufficient resources to adequately support the business\ngoals and objectives of the organization and (2) through the organization's budgeting process,\nsubmit a written request for additional resources to address any shortfalls identified in the\nanalysis.\n\n\n\n                                                                                           42\n\x0c                                                                                  Appendix II\n\n\nManagement Response: Within the context of MCC's overall budgetary constraints and\nbudgeting process, MCC's CIO will (I) conduct an analysis to determine whether the\ninformation technology function has sufficient resources to adequately support the business\ngoals and objectives of the organization and (2) through the organization's budgeting process,\nsubmit a written request for additional resources to address any shortfalls identified in the\nanalysis. The milestones and dates associated with this deliverable will be addressed in the\nCCAP.\n\nIT Governance Recommendation No. 13: We recommend that the Millennium Challenge\nCorporation Chief Information Officer implement a process to verify that risk management\nplans and Exhibit 300 business cases are consistently used, monitored and updated annually\nfor an IT projects as required.\n\nManagement Response: The MCC's CIO will implement a process to verify that risk\nmanagement plans and Exhibit 300 business cases are consistently used, monitored and\nupdated annually for all IT projects as required. The milestones and dates associated with this\ndeliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 15: We recommend that the Millennium Challenge\nCorporation Chief Information Officer develop and implement a policy to fully address the\nmaintenance of software applications.\n\nManagement Response: MCC's CIO will develop and implement a policy to fully address\nthe maintenance of software applications. The milestones and dates associated with this\ndeliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 16: We recommend that the Millennium Challenge\nCorporation Chief Information Officer develop and implement a process for ensuring the\nintegration of software into the current infrastructure is properly planned and executed.\n\nManagement Response: MCC's CIO will develop and implement a process for ensuring the\nintegration of software into the current infrastructure is properly planned and executed. The\nmilestones and dates associated with this deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 8: We recommend that the Millennium Challenge\nCorporation Deputy Chief Financial Officer revise the budget policy and procedures to\naccount for the change from line item budgeting to project budgeting.\n\nManagement Response: MCC's Deputy Chief Financial Officer will revise the budget and\npolicy procedures to account for the change from the line item budgeting to project budgeting\nfor Information Technology projects. The milestones and dates associated with this\ndeliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 17: We recommend that the Millennium Challenge\nCorporation Director of Contracting develop and implement information technology\nacquisition instructions that provide a methodology to evaluate the components of\ninformation technology acquisition contracts.\n\n\n                                                                                            43\n\x0c                                                                                 Appendix II\n\n\nManagement Response: The MCC's Managing Director for Contracts and Grant\nManagement (CGM) will develop and implement IT acquisition instructions to include a\nmethodology for acquisition planning that addresses the different components of IT\nacquisition contracts by July 31, 2011.\n\nIT Governance Recommendation No. 21: We recommend that the Millennium Challenge\nCorporation Director of Contracting develop and implement a process to enforce the creation\nof service level agreements for all endeavors requiring contract support.\n\nManagement Response: MCC's Managing Director for CGM will develop guidelines for\nestablishing SLAs and requirements for including SLAs in large and complex information\ntechnology contracts by July 31, 2011.\n\nIT Governance Recommendation No. 22: We recommend that the Millennium Challenge\nCorporation Director of Contracting develop and implement a process for periodic review\nand feedback of performance for all contractors to improve service delivery and support early\ndetection of potential problems.\n\nManagement Response: MCC's Managing Director for CGM will develop guidance and\nrequirements for periodic contractor performance reviews that will provide for early\ndetection of problems and improved service delivery on large and complex information\ntechnology contracts, including the use of the Contract Performance Assessment Rating\nSystem (CPARS,) by July 31, 2011.\n\nCCAP Plan Phase Three:\n\nMIDAS Recommendation No. 2: Develop written earned value management policies and\nprocedures for IT projects, as required.\n\nManagement Response: MCC will develop an Earned Value Management policy that is\nANSI-EIA 748A compliant. The milestones and dates associated with this deliverable will be\naddressed in the CCAP.\n\nMIDAS Recommendation No .4: Update the Contracts Operating Manual to include\nprocedures for including risk management and earned value management in contracting\nactions, when required.\n\nManagement Response: MCC will update the Contracts Operating Manual to include\nprocedures for including risk management and earned value management in contracting\nactions, when required. The milestones and dates associated with this deliverable will be\naddressed in the CCAP.\n\nIT Governance Recommendation No. 9: We recommend that the Millennium Challenge\nCorporation Chief Information Officer develop a process and implement a tool for\nmonitoring project plans and work completed to determine earned value, providing an early\nwarning of performance issues impacting project budgets.\n\n\n\n\n                                                                                          44\n\x0c                                                                                  Appendix II\n\n\nManagement Response: MCC's CIO will develop a process and implement a tool for\nmonitoring project plans and work completed to determine earned value, providing an early\nwarning of performance issues impacting project budgets. The milestones and dates\nassociated with this deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 10: We recommend that the Millennium Challenge\nCorporation Chief Information Officer define quality requirements, criteria, and key\nperformance indicators for evaluation of quality management for key IT processes.\n\nManagement Response: The MCC's CIO will define quality requirements, criteria, and key\nperformance indicators for evaluation of quality management for key IT processes. The\nmilestones and dates associated with this deliverable will be addressed in the CCAP.\n\nIT Governance Recommendation No. 11: We recommend that the Millennium Challenge\nCorporation Chief Information Officer identify and document standards, procedures, and\npractices for key IT processes to guide the Agency in defining and evaluating criteria for\nquality management.\n\nManagement Response: MCC's CIO will identify and document standards, procedures, and\npractices for key IT processes to guide the Agency in defining and evaluating criteria for\nquality management. The milestones and dates associated with this deliverable will be\naddressed in the CCAP.\n\nCCAP Phase Four:\n\nIT Governance Recommendation No. 3: We recommend that the Millennium Challenge\nCorporation Chief Information Officer complete the enterprise information architecture\nplanning and implementation project as discussed in the Executive Level Notional OCIO 2\nYear Portfolio in order to maintain an information architecture that reflects the business\nrequirements.\n\nManagement Response: MCC's CIO will complete the enterprise information architecture\nplanning and implementation project as discussed in the Executive Level Notional OCIO 2\nYear Portfolio in order to maintain an information architecture that reflects the business\nrequirements. The milestones and dates associated with this deliverable will be addressed in\nthe CCAP.\n\nIT Governance Recommendation No. 4: We recommend that the Millennium Challenge\nCorporation Chief Information Officer develop and implement a project plan for leveraging\ndata as indicated in the authoritative data source process and methodology in order to provide\nbusiness users access to detailed information to aid in analysis and decision making by\nJune 30th, 2012.\n\nManagement Response: MCC's CIO will develop and implement a project plan for\nleveraging data as indicated in the authoritative data source process and methodology in\norder to provide business users access to detailed information to aid in analysis and decision\nmaking. The milestones and dates associated with this deliverable will be addressed in the\nCCAP.\n\n\n                                                                                           45\n\x0c                                                                              Appendix II\n\n\n\nFinally, there are statements in the draft report on the Risk Assessment that should be\nclarified. The document indicates that the Enterprise Architecture Data Reference Model\n(DRM) would be complete in the Spring of 2011, whereas the DRM will not actually be\ncomplete until September 2011.\n\nIf you have any questions, comments or concerns please feel free to contact me on 202.521.\n7257.\n\nAttachments:\n\nCC:    IG/MCC, Lisa Banks\n       IG/MCC, Aleta Johnson\n       MCC/A&F/FMD, Arlene McDonald\n\n\n\n\n                                                                                       46\n\x0c                                                                           APPENDIX III\n\n\n\n\nCOBIT MATURITY MODEL\nMEASURMENT CRITERIA\nPO1 Define a Strategic IT Plan\nPO 1 Maturity Model\nControl over the IT process \xe2\x80\x9cDefine a Strategic IT Plan\xe2\x80\x9d with the business goal of\nsustaining or extending the business strategy and governance requirement while\nremaining transparent about benefits, costs and risks.\nMeasurement\n0 Non-existent when\nIT strategic planning is not performed. There is no management awareness that IT\nstrategic planning is needed to support business goals.\n1 Initial/Ad Hoc when\nThe need for IT strategic planning is known by IT management. IT planning is performed\non an as-needed basis in response to a specific business requirement. IT strategic\nplanning is occasionally discussed at IT management meetings. The alignment of\nbusiness requirements, applications and technology takes place reactively rather than by\nan organization wide strategy. The strategic risk position is identified informally on a\nproject-by-project basis.\n2 Repeatable but Intuitive when\nIT strategic planning is shared with business management on an as-needed basis.\nUpdating of the IT plans occurs in response to requests by management. Strategic\ndecisions are driven on a project-by-project basis without consistency with an overall\norganization strategy. The risks and user benefits of major strategic decisions are\nrecognized in an intuitive way.\n3 Defined when\nA policy defines when and how to perform IT strategic planning. IT strategic planning\nfollows a structured approach that is documented and known to all staff. The IT planning\nprocess is reasonably sound and ensures that appropriate planning is likely to be\nperformed. However, discretion is given to individual managers with respect to\nimplementation of the process, and there are no procedures to examine the process.\nThe overall IT strategy includes a consistent definition of risks that the organization is\nwilling to take as an innovator or follower. The IT financial, technical and human\nresources strategies increasingly influence the acquisition of new products and\ntechnologies. IT strategic planning is discussed at business management meetings.\n4 Managed and Measurable when\nIT strategic planning is standard practice and exceptions would be noticed by\n\n                                                                                      47\n\x0c                                                                             APPENDIX III\n\n\nmanagement. IT strategic planning is a defined management function with senior-level\nresponsibilities. Management is able to monitor the IT strategic planning process, make\ninformed decisions based on it and measure its effectiveness. Both short-range and\nlong-range IT planning occurs and is cascaded down into the organization, with updates\ndone as needed. The IT strategy and organization-wide strategy are increasingly\nbecoming more coordinated by addressing business processes and value-added\ncapabilities and leveraging the use of applications and technologies through business\nprocess re-engineering. There is a well-defined process for determining the usage of\ninternal and external resources required in system development and operations.\n5 Optimized when\nIT strategic planning is a documented, living process; is continuously considered in\nbusiness goal setting; and results in discernible business value through investments in\nIT. Risk and value-added considerations are continuously updated in the IT strategic\nplanning process. Realistic long-range IT plans are developed and constantly updated to\nreflect changing technology and business-related developments. Benchmarking against\nwell-understood and reliable industry norms takes place and is integrated with the\nstrategy formulation process. The strategic plan includes how new technology\ndevelopments can drive the creation of new business capabilities and improve the\ncompetitive advantage of the organization.\n\n\n\nPO2 Define the Information Architecture\nPO2 Maturity Model\nControl over the IT process \xe2\x80\x9cDefine the Information Architecture\xe2\x80\x9d with the business goal\nof being agile in responding to requirements, to provide reliable and consistent\ninformation, and to seamlessly integrate applications into business processes.\nMeasurement\n0 Non-existent when\nThere is no awareness of the importance of the information architecture for the\norganization. The knowledge, expertise and responsibilities necessary to develop this\narchitecture do not exist in the organization.\n1 Initial/Ad Hoc when\nManagement recognizes the need for an information architecture. Development of some\ncomponents of an information architecture is occurring on an ad hoc basis. The\ndefinitions address data, rather than information, and are driven by application software\nvendor offerings. There is inconsistent and sporadic communication of the need for an\ninformation architecture.\n2 Repeatable but Intuitive when\nAn information architecture process emerges and similar, though informal and intuitive,\nprocedures are followed by different individuals within the organization. Staff obtain their\nskills in building the information architecture through hands-on experience and repeated\napplication of techniques. Tactical requirements drive the development of information\narchitecture components by individual staff members.\n\n                                                                                         48\n\x0c                                                                           APPENDIX III\n\n\n\n\n3 Defined when\nThe importance of the information architecture is understood and accepted, and\nresponsibility for its delivery is assigned and clearly communicated. Related procedures,\ntools and techniques, although not sophisticated, have been standardized and\ndocumented and are part of informal training activities. Basic information architecture\npolicies have been developed, including some strategic requirements, but compliance\nwith policies, standards and tools is not consistently enforced. A formally defined data\nadministration function is in place, setting organization-wide standards, and is beginning\nto report on the delivery and use of the information architecture. Automated tools are\nbeginning to be employed, but the processes and rules used are defined by database\nsoftware vendor offerings. A formal training plan has been developed, but formalized\ntraining is still based on individual initiatives.\n4 Managed and Measurable when\nThe development and enforcement of the information architecture are fully supported by\nformal methods and techniques. Accountability for the performance of the architecture\ndevelopment process is enforced and success of the information architecture is being\nmeasured. Supporting automated tools are widespread, but are not yet integrated. Basic\nmetrics have been identified and a measurement system is in place. The information\narchitecture definition process is proactive and focused on addressing future business\nneeds. The data administration organization is actively involved in all application\ndevelopment efforts, to ensure consistency. An automated repository is fully\nimplemented. More complex data models are being implemented to leverage the\ninformation content of the databases. Executive information systems and decision\nsupport systems are leveraging the available information.\n5 Optimized when\nThe information architecture is consistently enforced at all levels. The value of the\ninformation architecture to the business is continually stressed. IT personnel have the\nexpertise and skills necessary to develop and maintain a robust and responsive\ninformation architecture that reflects all the business requirements. The information\nprovided by the information architecture is consistently and extensively applied.\nExtensive use is made of industry good practices in the development and maintenance\nof the information architecture, including a continuous improvement process. The\nstrategy for leveraging information through data warehousing and data mining\ntechnologies is defined. The information architecture is continuously improving and takes\ninto consideration non-traditional information on processes, organizations and systems.\n\n\n\nPO4 Define the IT Processes, Organization and Relationships\nPO4 Maturity Model\nControl over the IT process \xe2\x80\x9cDefine the IT Processes, Organization and Relationships\xe2\x80\x9d\nwith the business goal of being agile in responding to the business strategy whilst\ncomplying with governance requirements and providing defined and competent points of\ncontact.\n\n\n\n                                                                                       49\n\x0c                                                                             APPENDIX III\n\n\n\n\nMeasurement\n0 Non-existent when\nThe IT organization is not effectively established to focus on the achievement of\nbusiness objectives.\n1 Initial/Ad Hoc when\nIT activities and functions are reactive and inconsistently implemented. IT is involved in\nbusiness projects only in later stages. The IT function is considered a support function,\nwithout an overall organization perspective. There is an implicit understanding of the\nneed for an IT organization; however, roles and responsibilities are neither formalized\nnor enforced.\n2 Repeatable but Intuitive when\nThe IT function is organized to respond tactically, but inconsistently, to customer needs\nand vendor relationships. The need for a structured organization and vendor\nmanagement is communicated, but decisions are still dependent on the knowledge and\nskills of key individuals. There is an emergence of common techniques to manage the IT\norganization and vendor relationships.\n3 Defined when\nDefined roles and responsibilities for the IT organization and third parties exist. The IT\norganization is developed, documented, communicated and aligned with the IT strategy.\nThe internal control environment is defined. There is formalization of relationships with\nother parties, including steering committees, internal audit and vendor management. The\nIT organization is functionally complete. There are definitions of the functions to be\nperformed by IT personnel and those to be performed by users. Essential IT staffing\nrequirements and expertise are defined and satisfied. There is a formal definition of\nrelationships with users and third parties. The division of roles and responsibilities is\ndefined and implemented.\n4 Managed and Measurable when\nThe IT organization proactively responds to change and includes all roles necessary to\nmeet business requirements. IT management, process ownership, accountability and\nresponsibility are defined and balanced. Internal good practices have been applied in the\norganization of the IT functions. IT management has the appropriate expertise and skills\nto define, implement and monitor the preferred organization and relationships.\nMeasurable metrics to support business objectives and user-defined critical success\nfactors (CSFs) are standardized. Skill inventories are available to support project staffing\nand professional development. The balance between the skills and resources available\ninternally and those needed from external organizations is defined and enforced. The IT\norganizational structure appropriately reflects the business needs by providing services\naligned with strategic business processes, rather than with isolated technologies.\n5 Optimized when\nThe IT organizational structure is flexible and adaptive. Industry good practices are\ndeployed. There is extensive use of technology to assist in monitoring the performance\nof the IT organization and processes. Technology is leveraged in line to support the\n\n                                                                                         50\n\x0c                                                                             APPENDIX III\n\n\ncomplexity and geographic distribution of the organization. There is a continuous\nimprovement process in place.\n\n\n\nPO5 Managing the IT Investment\nPO5 Maturity Model\nControl over the IT process \xe2\x80\x9cManage the IT Investment\xe2\x80\x9d with the business goal of\ncontinuously and demonstrably improving IT\xe2\x80\x99s cost-efficiency and its contribution to\nbusiness profitability with integrated and standardized services that satisfy end-user\nexpectations.\nMeasurement\n0 Non-existent when\nThere is no awareness of the importance of IT investment selection and budgeting.\nThere is no tracking or monitoring of IT investments and expenditures.\n1 Initial/Ad Hoc when\nThe organization recognizes the need for managing the IT investment, but this need is\ncommunicated inconsistently. Allocation of responsibility for IT investment selection and\nbudget development is done on an ad hoc basis. Isolated implementations of IT\ninvestment selection and budgeting occur, with informal documentation. IT investments\nare justified on an ad hoc basis. Reactive and operationally focused budgeting decisions\noccur.\n2 Repeatable but Intuitive when\nThere is an implicit understanding of the need for IT investment selection and budgeting.\nThe need for a selection and budgeting process is communicated. Compliance is\ndependent on the initiative of individuals in the organization. There is an emergence of\ncommon techniques to develop components of the IT budget. Reactive and tactical\nbudgeting decisions occur.\n3 Defined when\nPolicies and processes for investment and budgeting are defined, documented and\ncommunicated, and cover key business and technology issues. The IT budget is aligned\nwith the strategic IT and business plans. The budgeting and IT investment selection\nprocesses are formalized, documented and communicated. Formal training is emerging\nbut is still based primarily on individual initiatives. Formal approval of IT investment\nselections and budgets is taking place. IT staff members have the expertise and skills\nnecessary to develop the IT budget and recommend appropriate IT investments.\n4 Managed and Measurable when\nResponsibility and accountability for investment selection and budgeting are assigned to\na specific individual. Budget variances are identified and resolved. Formal costing\nanalysis is performed, covering direct and indirect costs of existing operations, as well as\nproposed investments, considering all costs over a total life cycle. A proactive and\nstandardized process for budgeting is used. The impact of shifting in development and\noperating costs from hardware and software to systems integration and IT human\n\n                                                                                         51\n\x0c                                                                             APPENDIX III\n\n\nresources is recognized in the investment plans. Benefits and returns are calculated in\nfinancial and non-financial terms.\n5 Optimized when\nIndustry good practices are used to benchmark costs and identify approaches to\nincrease the effectiveness of investments. Analysis of technological developments is\nused in the investment selection and budgeting process. The investment management\nprocess is continuously improved based on lessons learned from the analysis of actual\ninvestment performance. Investment decisions incorporate price/performance\nimprovement trends. Funding alternatives are formally investigated and evaluated within\nthe context of the organization\xe2\x80\x99s existing capital structure, using formal evaluation\nmethods. There is proactive identification of variances. An analysis of the long-term cost\nand benefits of the total life cycle is incorporated in the investment decisions.\n\n\nPO8 Manage Quality\nPO8 Maturity Model\nControl over the IT process \xe2\x80\x9cManage Quality\xe2\x80\x9d with the business goal of ensuring\ncontinuous and measurable improvement of the quality of IT services delivered.\nMeasurement\n0 Non-existent when\nThe organization lacks a QMS planning process and a system development life cycle\n(SDLC) methodology. Senior management and IT staff members do not recognize that a\nquality program is necessary. Projects and operations are never reviewed for quality.\n1 Initial/Ad Hoc when\nThere is a management awareness of the need for a QMS. The QMS is driven by\nindividuals where it takes place. Management makes informal judgments on quality.\n2 Repeatable but Intuitive when\nA program is being established to define and monitor QMS activities within IT. QMS\nactivities that do occur are focused on IT project- and process-oriented initiatives, not on\norganization-wide processes.\n3 Defined when\nA defined QMS process is communicated throughout the enterprise by management and\ninvolves IT and end-user management. An education and training program is emerging\nto teach all levels of the organization about quality. Basic quality expectations are\ndefined and are shared amongst projects and within the IT organization. Common tools\nand practices for quality management are emerging. Quality satisfaction surveys are\nplanned and occasionally conducted.\n4 Managed and Measurable when\nThe QMS is addressed in all processes, including processes with reliance on third\nparties. A standardized knowledge base is being established for quality metrics. Cost-\nbenefit analysis methods are used to justify QMS initiatives. Benchmarking against the\n\n                                                                                         52\n\x0c                                                                             APPENDIX III\n\n\nindustry and competitors is emerging. An education and training program is instituted to\nteach all levels of the organization about quality. Tools and practices are being\nstandardized, and root cause analysis is periodically applied. Quality satisfaction surveys\nare consistently conducted. A standardized program for measuring quality is in place\nand well structured. IT management is building a knowledge base for quality metrics.\n5 Optimized when\nThe QMS is integrated and enforced in all IT activities. QMS processes are flexible and\nadaptable to changes in the IT environment. The knowledge base for quality metrics is\nenhanced with external good practices. Benchmarking against external standards is\nroutinely performed. Quality satisfaction surveying is an ongoing process and leads to\nroot cause analysis and improvement actions. There is formal assurance on the level of\nthe quality management process.\n\n\n\nPO10 Manage Projects\nPO10 Maturity Model\nControl over the IT process \xe2\x80\x9cManage Projects\xe2\x80\x9d with the business goal of ensuring the\ndelivery of project results within agreed-upon time frames, budget and quality.\nMeasurement\n0 Non-existent when\nProject management techniques are not used and the organization does not consider\nbusiness impacts associated with project mismanagement and development project\nfailures.\n1 Initial/Ad Hoc when\nThe use of project management techniques and approaches within IT is a decision left to\nindividual IT managers. There is a lack of management commitment to project\nownership and project management. Critical decisions on project management are made\nwithout user management or customer input. There is little or no customer and user\ninvolvement in defining IT projects. There is no clear organization within IT for the\nmanagement of projects. Roles and responsibilities for the management of projects are\nnot defined. Projects, schedules and milestones are poorly defined, if at all. Project staff\ntime and expenses are not tracked and compared to budgets.\n2 Repeatable but Intuitive when\nSenior management gains and communicates an awareness of the need for IT project\nmanagement. The organization is in the process of developing and utilizing some\ntechniques and methods from project to project. IT projects have informally defined\nbusiness and technical objectives. There is limited stakeholder involvement in IT project\nmanagement. Initial guidelines are developed for many aspects of project management.\nApplication of project management guidelines is left to the discretion of the individual\nproject manager.\n3 Defined when\nThe IT project management process and methodology are established and\n\n                                                                                         53\n\x0c                                                                              APPENDIX III\n\n\ncommunicated. IT projects are defined with appropriate business and technical\nobjectives. Senior IT and business management are beginning to be committed and\ninvolved in the management of IT projects. A project management office is established\nwithin IT, with initial roles and responsibilities defined. IT projects are monitored, with\ndefined and updated milestones, schedules, budget and performance measurements.\nProject management training is available and is primarily a result of individual staff\ninitiatives. QA procedures and post-system implementation activities are defined, but are\nnot broadly applied by IT managers. Projects are beginning to be managed as portfolios.\n4 Managed and Measurable when\nManagement requires formal and standardized project metrics and lessons learned to be\nreviewed following project completion. Project management is measured and evaluated\nthroughout the organization and not just within IT. Enhancements to the project\nmanagement process are formalized and communicated with project team members\ntrained on enhancements. IT management implements a project organization structure\nwith documented roles, responsibilities and staff performance criteria. Criteria for\nevaluating success at each milestone are established. Value and risk are measured and\nmanaged prior to, during and after the completion of projects. Projects increasingly\naddress organization goals, rather than only IT-specific ones. There is strong and active\nproject support from senior management sponsors as well as stakeholders. Relevant\nproject management training is planned for staff in the project management office and\nacross the IT function.\n5 Optimized when\nA proven, full life cycle project and program methodology is implemented, enforced and\nintegrated into the culture of the entire organization. An ongoing initiative to identify and\ninstitutionalize best project management practices is implemented. An IT strategy for\nsourcing development and operational projects is defined and implemented. An\nintegrated project management office is responsible for projects and programs from\ninception to post-implementation. Organization-wide planning of programs and projects\nensures that user and IT resources are best utilized to support strategic initiatives.\n\n\n\n\n                                                                                          54\n\x0c                                                                            APPENDIX III\n\n\n\n\nAI2 Acquire and Maintain Application Software\nAI2 Maturity Model\nControl over the IT process \xe2\x80\x9cAcquire and Maintain Application Software\xe2\x80\x9d with the\nbusiness goal of aligning available applications with business requirements, and doing\nso in a timely manner and at a reasonable cost.\nMeasurement\n0 Non-existent when\nThere is no process for designing and specifying applications. Typically, applications are\nobtained based on vendor-driven offerings, brand recognition or IT staff familiarity with\nspecific products, with little or no consideration of actual requirements.\n1 Initial/Ad Hoc when\nThere is an awareness that a process for acquiring and maintaining applications is\nrequired. Approaches to acquiring and maintaining application software vary from project\nto project. Some individual solutions to particular business requirements are likely to\nhave been acquired independently, resulting in inefficiencies with maintenance and\nsupport.\n2 Repeatable but Intuitive when\nThere are different, but similar, processes for acquiring and maintaining applications\nbased on the expertise within the IT function. The success rate with applications\ndepends greatly on the in-house skills and experience levels within IT. Maintenance is\nusually problematic and suffers when internal knowledge is lost from the organization.\nThere is little consideration of application security and availability in the design or\nacquisition of application software.\n3 Defined when\nA clear, defined and generally understood process exists for the acquisition and\nmaintenance of application software. This process is aligned with IT and business\nstrategy. An attempt is made to apply the documented processes consistently across\ndifferent applications and projects. The methodologies are generally inflexible and\ndifficult to apply in all cases, so steps are likely to be bypassed. Maintenance activities\nare planned, scheduled and coordinated.\n4 Managed and Measurable when\nThere is a formal and well-understood methodology that includes a design and\nspecification process, criteria for acquisition, a process for testing and requirements for\ndocumentation. Documented and agreed-upon approval mechanisms exist to ensure\nthat all steps are followed and exceptions are authorized. Practices and procedures\nevolve and are well suited to the organization, used by all staff and applicable to most\napplication requirements.\n5 Optimized when\nApplication software acquisition and maintenance practices are aligned with the defined\n\n\n                                                                                        55\n\x0c                                                                           APPENDIX III\n\n\nprocess. The approach is component based, with predefined, standardized applications\nmatched to business needs. The approach is enterprise wide. The acquisition and\nmaintenance methodology is well advanced and enables rapid deployment, allowing for\nhigh responsiveness and flexibility in responding to changing business requirements.\nThe application software acquisition and implementation methodology is subjected to\ncontinuous improvement and is supported by internal and external knowledge databases\ncontaining reference materials and good practices. The methodology creates\ndocumentation in a predefined structure that makes production and maintenance\nefficient.\n\n\n\nAI3 Acquire and Maintain Technology Infrastructure\nAI3 Maturity Model\nControl over the IT process \xe2\x80\x9cAcquire and Maintain Technology Infrastructure\xe2\x80\x9d with the\nbusiness goal of acquiring and maintaining an integrated and standardized IT\ninfrastructure.\nMeasurement\n0 Non-existent when\nManaging the technology infrastructure is not recognized as a sufficiently important topic\nto be addressed.\n1 Initial/Ad Hoc when\nThere are changes made to infrastructure for every new application, without any overall\nplan. Although there is an awareness that the IT infrastructure is important, there is no\nconsistent overall approach. Maintenance activity reacts to short-term needs. The\nproduction environment is the test environment.\n2 Repeatable but Intuitive when\nThere is a consistency amongst tactical approaches when acquiring and maintaining the\nIT infrastructure. Acquisition and maintenance of IT infrastructure are not based on any\ndefined strategy and do not consider the needs of the business applications that must be\nsupported. There is an understanding that the IT infrastructure is important, supported\nby some formal practices. Some maintenance is scheduled, but it is not fully scheduled\nand coordinated. For some environments, a separate test environment exists.\n3 Defined when\nA clear, defined and generally understood process exists for acquiring and maintaining\nIT infrastructure. The process supports the needs of critical business applications and is\naligned to IT and business strategy, but it is not consistently applied. Maintenance is\nplanned, scheduled and coordinated. There are separate environments for test and\nproduction.\n4 Managed and Measurable when\nThe acquisition and maintenance process for technology infrastructure has developed to\nthe point where it works well for most situations, is followed consistently and is focused\non reusability. The IT infrastructure adequately supports the business applications. The\n\n                                                                                       56\n\x0c                                                                           APPENDIX III\n\n\nprocess is well organized and proactive. The cost and lead time to achieve the expected\nlevel of scalability, flexibility and integration are partially optimized.\n5 Optimized when\nThe acquisition and maintenance process for technology infrastructure is proactive and\nclosely aligned with critical business applications and the technology architecture. Good\npractices regarding technology solutions are followed, and the organization is aware of\nthe latest platform developments and management tools. Costs are reduced by\nrationalizing and standardizing infrastructure components and by using automation. A\nhigh level of technical awareness can identify optimum ways to proactively improve\nperformance, including consideration of outsourcing options. The IT infrastructure is\nseen as the key enabler to leveraging the use of IT.\n\n\n\nAI5 Procure IT Resources\nAI5 Maturity Model\nControl over the IT process \xe2\x80\x9cProcure IT Resources\xe2\x80\x9d with the business goal of improving\nIT\xe2\x80\x99s cost-efficiency and its contribution to business profitability.\nMeasurement\n0 Non-existent when\nThere is no defined IT resource procurement process in place. The organization does\nnot recognize the need for clear procurement policies and procedures to ensure that all\nIT resources are available in a timely and cost-efficient manner.\n1 Initial/Ad Hoc when\nThe organization recognizes the need to have documented policies and procedures that\nlink IT acquisition to the business organization\xe2\x80\x99s overall procurement process. Contracts\nfor the acquisition of IT resources are developed and managed by project managers and\nother individuals exercising their professional judgment rather than as a result of formal\nprocedures and policies. There is only an ad hoc relationship between corporate\nacquisition and contract management processes and IT. Contracts for acquisition are\nmanaged at the conclusion of projects rather than on a continuous basis.\n2 Repeatable but Intuitive when\nThere is organizational awareness of the need to have basic policies and procedures for\nIT acquisition. Policies and procedures are partially integrated with the business\norganization\xe2\x80\x99s overall procurement process. Procurement processes are mostly utilized\nfor large and highly visible projects. Responsibilities and accountabilities for IT\nprocurement and contract management are determined by the individual contract\nmanager\xe2\x80\x99s experience. The importance of supplier management and relationship\nmanagement is recognized; however, it is addressed based on individual initiative.\nContract processes are mostly utilized by large or highly visible projects.\n3 Defined when\nManagement institutes policies and procedures for IT acquisition. Policies and\nprocedures are guided by the business organization\xe2\x80\x99s overall procurement process. IT\n\n                                                                                       57\n\x0c                                                                             APPENDIX III\n\n\nacquisition is largely integrated with overall business procurement systems. IT standards\nfor the acquisition of IT resources exist. Suppliers of IT resources are integrated into the\norganization\xe2\x80\x99s project management mechanisms from a contract management\nperspective. IT management communicates the need for appropriate acquisitions and\ncontract management throughout the IT function.\n4 Managed and Measurable when\nIT acquisition is fully integrated with overall business procurement systems. IT standards\nfor the acquisition of IT resources are used for all procurements. Measurements on\ncontract and procurement management are taken relevant to the business cases for IT\nacquisition. Reporting on IT acquisition activity that supports business objectives is\navailable. Management is usually aware of exceptions to the policies and procedures for\nIT acquisition. Strategic management of relationships is developing. IT management\nenforces the use of the acquisition and contract management process for all acquisitions\nby reviewing performance measurement.\n5 Optimized when\nManagement institutes resources\xe2\x80\x99 procurement thorough processes for IT acquisition.\nManagement enforces compliance with policies and procedures for IT acquisition.\nMeasurements on contract and procurement management are taken that are relevant to\nthe business cases for IT acquisitions. Good relationships are established over time with\nmost suppliers and partners, and the quality of relationships is measured and monitored.\nRelationships are managed strategically. IT standards, policies and procedures for the\nacquisition of IT resources are managed strategically and respond to measurement of\nthe process. IT management communicates the strategic importance of appropriate\nacquisition and contract management throughout the IT function.\n\n\n\nAI7 Install and Accredit Solutions and Changes\nAI7 Maturity Model\nControl over the IT process \xe2\x80\x9cInstall and Accredit Solutions and changes\xe2\x80\x9d with the\nbusiness goal of implementing new or changed systems that work without major\nproblems after installation.\nMeasurement\n0 Non-existent when\nThere is a complete lack of formal installation or accreditation processes, and neither\nsenior management nor IT staff members recognize the need to verify that solutions are\nfit for the intended purpose.\n1 Initial/Ad Hoc when\nThere is an awareness of the need to verify and confirm that implemented solutions\nserve the intended purpose. Testing is performed for some projects, but the initiative for\ntesting is left to the individual project teams, and the approaches taken vary. Formal\naccreditation and sign-off are rare or non-existent.\n\n\n\n\n                                                                                         58\n\x0c                                                                             APPENDIX III\n\n\n2 Repeatable but Intuitive when\nThere is some consistency amongst the testing and accreditation approaches, but\ntypically they are not based on any methodology. The individual development teams\nnormally decide the testing approach, and there is usually an absence of integration\ntesting. There is an informal approval process.\n3 Defined when\nA formal methodology relating to installation, migration, conversion and acceptance is in\nplace. IT installation and accreditation processes are integrated into the system life cycle\nand automated to some extent. Training, testing and transition to production status and\naccreditation are likely to vary from the defined process, based on individual decisions.\nThe quality of systems entering production is inconsistent, with new systems often\ngenerating a significant level of post-implementation problems.\n4 Managed and Measurable when\nThe procedures are formalized and developed to be well organized and practical with\ndefined test environments and accreditation procedures. In practice, all major changes\nto systems follow this formalized approach. Evaluation of meeting user requirements is\nstandardized and measurable, producing metrics that can be effectively reviewed and\nanalyzed by management. The quality of systems entering production is satisfactory to\nmanagement even with reasonable levels of post-implementation problems. Automation\nof the process is ad hoc and project-dependent. Management may be satisfied with the\ncurrent level of efficiency despite the lack of post-implementation evaluation. The test\nsystem adequately reflects the live environment. Stress testing for new systems and\nregression testing for existing systems are applied for major projects.\n5 Optimized when\nThe installation and accreditation processes have been refined to a level of good\npractice, based on the results of continuous improvement and refinement. IT installation\nand accreditation processes are fully integrated into the system life cycle and automated\nwhen appropriate, facilitating the most efficient training, testing and transition to\nproduction status of new systems. Well-developed test environments, problem registers\nand fault resolution processes ensure efficient and effective transition to the production\nenvironment. Accreditation usually takes place with no rework, and post-implementation\nproblems are normally limited to minor corrections. Post-implementation reviews are\nstandardized, with lessons learned channeled back into the process to ensure\ncontinuous quality improvement. Stress testing for new systems and regression testing\nfor modified systems are consistently applied.\n\n\n\n\n                                                                                         59\n\x0c                                                                             APPENDIX III\n\n\n\nDS1 Define and Manage Service Levels\nDS1 Maturity Model\nControl over the IT process \xe2\x80\x9cDefine and Manage Service Levels\xe2\x80\x9d with the business goal\nof ensuring the alignment of key IT services with the business strategy.\nMeasurement\n0 Non-existent when\nManagement has not recognized the need for a process for defining service levels.\nAccountabilities and responsibilities for monitoring them are not assigned.\n1 Initial/Ad Hoc when\nThere is awareness of the need to manage service levels, but the process is informal\nand reactive. The responsibility and accountability for defining and managing services\nare not defined. If performance measurements exist, they are qualitative only with\nimprecisely defined goals. Reporting is informal, infrequent and inconsistent.\n2 Repeatable but Intuitive when\nThere are agreed-upon service levels, but they are informal and not reviewed. Service\nlevel reporting is incomplete and may be irrelevant or misleading for customers. Service\nlevel reporting is dependent on the skills and initiative of individual managers. A service\nlevel co-coordinator is appointed with defined responsibilities, but limited authority. If a\nprocess for compliance to SLAs exists, it is voluntary and not enforced.\n3 Defined when\nResponsibilities are well defined, but with discretionary authority. The SLA development\nprocess is in place with checkpoints for reassessing service levels and customer\nsatisfaction. Services and service levels are defined, documented and agreed-upon\nusing a standard process. Service level shortfalls are identified, but procedures on how\nto resolve shortfalls are informal. There is a clear linkage between expected service level\nachievement and the funding provided. Service levels are agreed to, but they may not\naddress business needs.\n4 Managed and Measurable when\nService levels are increasingly defined in the system requirements definition phase and\nincorporated into the design of the application and operational environments. Customer\nsatisfaction is routinely measured and assessed. Performance measures reflect\ncustomer needs, rather than IT goals. The measures for assessing service levels are\nbecoming standardized and reflect industry norms. The criteria for defining service levels\nare based on business criticality and include availability, reliability, performance, growth\ncapacity, user support, continuity planning and security considerations. Root cause\nanalysis is routinely performed when service levels are not met. The reporting process\nfor monitoring service levels is becoming increasingly automated. Operational and\nfinancial risks associated with not meeting agreed-upon service levels are defined and\nclearly understood. A formal system of measurement is instituted and maintained.\n\n\n\n\n                                                                                         60\n\x0c                                                                             APPENDIX III\n\n\n5 Optimized when\nService levels are continuously re-evaluated to ensure alignment of IT and business\nobjectives, whilst taking advantage of technology, including the cost-benefit ratio. All\nservice level management processes are subject to continuous improvement. Customer\nsatisfaction levels are continuously monitored and managed. Expected service levels\nreflect strategic goals of business units and are evaluated against industry norms. IT\nmanagement has the resources and accountability needed to meet service level targets,\nand compensation is structured to provide incentives for meeting these targets. Senior\nmanagement monitors performance metrics as part of a continuous improvement\nprocess.\n\n\n\nDS2 Manage Third-party Services\nDS2 Maturity Model\nControl over the IT process \xe2\x80\x9cManage Third-party Services\xe2\x80\x9d with the business goal of\nproviding satisfactory third-party services whilst being transparent about benefits, costs\nand risks.\nMeasurement\n0 Non-existent when\nResponsibilities and accountabilities are not defined. There are no formal policies and\nprocedures regarding contracting with third parties. Third-party services are neither\napproved nor reviewed by management. There are no measurement activities and no\nreporting by third parties. In the absence of a contractual obligation for reporting, senior\nmanagement is not aware of the quality of the service delivered.\n1 Initial/Ad Hoc when\nManagement is aware of the need to have documented policies and procedures for\nthird-party management, including signed contracts. There are no standard terms of\nagreement with service providers. Measurement of the services provided is informal and\nreactive. Practices are dependent on the experience (e.g., on demand) of the individual\nand the supplier.\n2 Repeatable but Intuitive when\nThe process for overseeing third-party service providers, associated risks and the\ndelivery of services is informal. A signed, pro forma contract is used with standard\nvendor terms and conditions (e.g., the description of services to be provided). Reports\non the services provided are available, but do not support business objectives.\n3 Defined when\nWell-documented procedures are in place to govern third-party services, with clear\nprocesses for vetting and negotiating with vendors. When an agreement for the provision\nof services is made, the relationship with the third party is purely a contractual one. The\nnature of the services to be provided is detailed in the contract and includes legal,\noperational and control requirements. The responsibility for oversight of third-party\nservices is assigned. Contractual terms are based on standardized templates. The\nbusiness risk associated with the third-party services is assessed and reported.\n\n                                                                                         61\n\x0c                                                                           APPENDIX III\n\n\n\n\n4 Managed and Measurable when\nFormal and standardized criteria are established for defining the terms of engagement,\nincluding scope of work, services/deliverables to be provided, assumptions, schedule,\ncosts, billing arrangements and responsibilities. Responsibilities for contract and vendor\nmanagement are assigned. Vendor qualifications, risks and capabilities are verified on a\ncontinual basis. Service requirements are defined and linked to business objectives. A\nprocess exists to review service performance against contractual terms, providing input\nto assess current and future third-party services. Transfer pricing models are used in the\nprocurement process. All parties involved are aware of service, cost and milestone\nexpectations. Agreed-upon goals and metrics for the oversight of service providers exist.\n5 Optimized when\nContracts signed with third parties are reviewed periodically at predefined intervals. The\nresponsibility for managing suppliers and the quality of the services provided is\nassigned. Evidence of contract compliance to operational, legal and control provisions is\nmonitored, and corrective action is enforced. The third party is subject to independent\nperiodic review, and feedback on performance is provided and used to improve service\ndelivery. Measurements vary in response to changing business conditions. Measures\nsupport early detection of potential problems with third-party services. Comprehensive,\ndefined reporting of service level achievement is linked to the third-party compensation.\nManagement adjusts the process of third-party service acquisition and monitoring based\non the measurers.\n\n\n\nDS10 Manage Problems\nDS10 Maturity Model\nControl over the IT process \xe2\x80\x9cManage Problems\xe2\x80\x9d with the business goal of ensuring end\nusers\xe2\x80\x99 satisfaction with service offerings and service levels, and reducing solution and\nservice delivery defects and rework.\nMeasurement\n0 Non-existent when\nThere is no awareness of the need for managing problems, as there is no differentiation\nof problems and incidents. Therefore, there is no attempt made to identify the root cause\nof incidents.\n1 Initial/Ad Hoc when\nPersonnel recognize the need to manage problems and resolve underlying causes. Key\nknowledgeable personnel provide some assistance with problems relating to their area\nof expertise, but the responsibility for problem management is not assigned. Information\nis not shared, resulting in additional problem creation and loss of productive time while\nsearching for answers.\n2 Repeatable but Intuitive when\nThere is a wide awareness of the need for and benefits of managing IT-related problems\n\n                                                                                       62\n\x0c                                                                          APPENDIX III\n\n\nwithin both the business units and information services function. The resolution process\nis evolved to a point where a few key individuals are responsible for identifying and\nresolving problems. Information is shared amongst staff in an informal and reactive way.\nThe service level to the user community varies and is hampered by insufficient,\nstructured knowledge available to the problem manager.\n3 Defined when\nThe need for an effective integrated problem management system is accepted and\nevidenced by management support, and budgets for the staffing and training are\navailable. Problem resolution and escalation processes have been standardized. The\nrecording and tracking of problems and their resolutions are fragmented within the\nresponse team, using the available tools without centralization. Deviations from\nestablished norms or standards are likely to be undetected. Information is shared among\nstaff in a proactive and formal manner. Management review of incidents and analysis of\nproblem identification and resolution are limited and informal.\n4 Managed and Measurable when\nThe problem management process is understood at all levels within the organization.\nResponsibilities and ownership are clear and established. Methods and procedures are\ndocumented, communicated and measured for effectiveness. The majority of problems\nare identified, recorded and reported, and resolution is initiated. Knowledge and\nexpertise are cultivated, maintained and developed to higher levels, as the function is\nviewed as an asset and major contributor to the achievement of IT objectives and\nimprovement of IT services. Problem management is well integrated with interrelated\nprocesses, such as incident, change, availability and configuration management, and\nassists customers in managing data, facilities and operations. Goals and metrics have\nbeen agreed upon for the problem management process.\n5 Optimized when\nThe problem management process is evolved into a forward-looking and proactive one,\ncontributing to the IT objectives. Problems are anticipated and prevented. Knowledge\nregarding patterns of past and future problems is maintained through regular contacts\nwith vendors and experts. The recording, reporting and analysis of problems and\nresolutions are automated and fully integrated with configuration data management.\nGoals are measured consistently. Most systems have been equipped with automatic\ndetection and warning mechanisms, which are continuously tracked and evaluated. The\nproblem management process is analyzed for continuous improvement based on\nanalysis of measures and is reported to stakeholders.\n\n\n\n\n                                                                                     63\n\x0c                                                                           APPENDIX III\n\n\n\nME1 Monitor and Evaluate IT Performance\nME1 Maturity Model\nControl over the IT process \xe2\x80\x9cMonitor and Evaluate IT Performance\xe2\x80\x9d with the business\ngoal of transparency and understanding of IT cost, benefits, strategy, policies and\nservice levels in accordance with governance requirements.\nMeasurement\n0 Non-existent when\nThe organization has no monitoring process implemented. IT does not independently\nperform monitoring of projects or processes. Useful, timely and accurate reports are not\navailable. The need for clearly understood process objectives is not recognized.\n1 Initial/Ad Hoc when\nManagement recognizes a need to collect and assess information about monitoring\nprocesses. Standard collection and assessment processes have not been identified.\nMonitoring is implemented and metrics are chosen on a case-by-case basis, according\nto the needs of specific IT projects and processes. Monitoring is generally implemented\nreactively to an incident that has caused some loss or embarrassment to the\norganization. The accounting function monitors basic financial measures for IT.\n2 Repeatable but Intuitive when\nBasic measurements to be monitored are identified. Collection and assessment methods\nand techniques exist, but the processes are not adopted across the entire organization.\nInterpretation of monitoring results is based on the expertise of key individuals. Limited\ntools are chosen and implemented for gathering information, but the gathering is not\nbased on a planned approach.\n3 Defined when\nManagement communicates and institutes standard monitoring processes. Educational\nand training programs for monitoring are implemented. A formalized knowledge base of\nhistorical performance information is developed. Assessment is still performed at the\nindividual IT process and project level and is not integrated amongst all processes. Tools\nfor monitoring IT processes and service levels are defined. Measurements of the\ncontribution of the information services function to the performance of the organization\nare defined, using traditional financial and operational criteria. IT-specific performance\nmeasurements, non-financial measurements, strategic measurements, customer\nsatisfaction measurements and service levels are defined. A framework is defined for\nmeasuring performance.\n4 Managed and Measurable when\nManagement defines the tolerances under which processes must operate. Reporting of\nmonitoring results is being standardized and normalized. There is integration of metrics\nacross all IT projects and processes. The IT organization\xe2\x80\x99s management reporting\nsystems are formalized. Automated tools are integrated and leveraged organization-wide\nto collect and monitor operational information on applications, systems and processes.\nManagement is able to evaluate performance based on agreed-upon criteria approved\n\n                                                                                       64\n\x0c                                                                          APPENDIX III\n\n\nby stakeholders. Measurements of the IT function align with organization-wide goals.\n5 Optimized when\nA continuous quality improvement process is developed for updating organization-wide\nmonitoring standards and policies and incorporating industry good practices. All\nmonitoring processes are optimized and support organization-wide objectives. Business\ndriven metrics are routinely used to measure performance and are integrated into\nstrategic assessment frameworks, such as the IT balanced scorecard. Process\nmonitoring and ongoing redesign are consistent with organization-wide business process\nimprovement plans. Benchmarking against industry and key competitors becomes\nformalized, with well-understood comparison criteria.\n\n\n\nME3 Ensure Compliance with External Requirements\nME3 Maturity Model\nControl over the IT process \xe2\x80\x9cEnsure Compliance with External Requirements\xe2\x80\x9d with the\nbusiness goal of ensuring compliance with laws, regulations and contractual\nrequirements.\nMeasurement\n0 Non-existent when\nThere is little awareness of external requirements that affect IT, with no process\nregarding compliance with regulatory, legal and contractual requirements.\n1 Initial/Ad Hoc when\nThere is awareness of regulatory, contractual and legal compliance requirements\nimpacting the organization. Informal processes are followed to maintain compliance, but\nonly as the need arises in new projects or in response to audits or reviews.\n2 Repeatable but Intuitive when\nThere is an understanding of the need to comply with external requirements, and the\nneed is communicated. Where compliance is a recurring requirement, as in financial\nregulations or privacy legislation, individual compliance procedures have been\ndeveloped and are followed on a year-to-year basis. There is, however, no standard\napproach. There is high reliance on the knowledge and responsibility of individuals, and\nerrors are likely. There is informal training regarding external requirements and\ncompliance issues.\n3 Defined when\nPolicies, plans and procedures are developed, documented and communicated to\nensure compliance with regulations and contractual and legal obligations, but some may\nnot always be followed, and some may be out of date or impractical to implement. There\nis little monitoring performed and there are compliance requirements that have not been\naddressed. Training is provided in external legal and regulatory requirements affecting\nthe organization and the defined compliance processes. Standard pro forma contracts\nand legal processes exist to minimize the risks associated with contractual liability.\n\n\n                                                                                       65\n\x0c                                                                               APPENDIX III\n\n\n4 Managed and Measurable when\nIssues and exposures from external requirements and the need to ensure compliance at\nall levels are fully understood. A formal training scheme is in place to ensure that all staff\nmembers are aware of their compliance obligations. Responsibilities are clear and\nprocess ownership is understood. The process includes a review of the environment to\nidentify external requirements and ongoing changes. There is a mechanism in place to\nmonitor non-compliance with external requirements, enforce internal practices and\nimplement corrective action. Non-compliance issues are analyzed for root causes in a\nstandard manner, with the objective to identify sustainable solutions. Standardized\ninternal good practices are utilized for specific needs, such as standing regulations and\nrecurring service contracts.\n5 Optimized when\nA well-organized, efficient and enforced process is in place for complying with external\nrequirements, based on a single central function that provides guidance and co-\nordination to the whole organization. Extensive knowledge of the applicable external\nrequirements, including their future trends and anticipated changes, and the need for\nnew solutions exist. The organization takes part in external discussions with regulatory\nand industry groups to understand and influence external requirements affecting them.\nGood practices are developed ensuring efficient compliance with external requirements,\nresulting in very few cases of compliance exceptions. A central, organization-wide\ntracking system exists, enabling management to document the workflow and to measure\nand improve the quality and effectiveness of the compliance monitoring process. An\nexternal requirements self-assessment process is implemented and refined to a level of\ngood practice. The organization\xe2\x80\x99s management style and culture relating to compliance\nare sufficiently strong, and processes are developed well enough for training to be\nlimited to new personnel and whenever there is a significant change.\n\n\n\nME4 Provide IT Governance\nME4 Maturity Model\nControl over the IT process \xe2\x80\x9cProvide IT Governance\xe2\x80\x9d with the business goal of\nintegrating IT governance with corporate governance objectives and complying with laws\nand regulations.\nMeasurement\n0 Non-existent when\nThere is a complete lack of any recognizable IT governance process. The organization\ndoes not even recognize that there is an issue to be addressed; hence, there is no\ncommunication about the issue.\n1 Initial/Ad Hoc when\nThere is recognition that IT governance issues exist and need to be addressed. There\nare ad hoc approaches applied on an individual or case-by-case basis. Management\xe2\x80\x99s\napproach is reactive, and there is only sporadic, inconsistent communication on issues\nand approaches to address them. Management has only an approximate indication of\nhow IT contributes to business performance. Management only reactively responds to\n\n                                                                                           66\n\x0c                                                                           APPENDIX III\n\n\nan incident that has caused some loss or embarrassment to the organization.\n2 Repeatable but Intuitive when\nThere is awareness of IT governance issues. IT governance activities and performance\nindicators, which include IT planning, delivery and monitoring processes, are under\ndevelopment. Selected IT processes are identified for improvement based on individuals\xe2\x80\x99\ndecisions. Management identifies basic IT governance measurements and assessment\nmethods and techniques; however, the process is not adopted across the organization.\nCommunication on governance standards and responsibilities is left to the individual.\nIndividuals drive the governance processes within various IT projects and processes.\nThe processes, tools and metrics to measure IT governance are limited and may not be\nused to their full capacity due to a lack of expertise in their functionality.\n3 Defined when\nThe importance of and need for IT governance are understood by management and\ncommunicated to the organization. A baseline set of IT governance indicators is\ndeveloped where linkages between outcome measures and performance indicators are\ndefined and documented. Procedures are standardized and documented. Management\ncommunicates standardized procedures, and training is established. Tools are identified\nto assist with overseeing IT governance. Dashboards are defined as part of the IT\nbalanced business scorecard. However, it is left to the individual to get training, follow\nthe standards and apply them. Processes may be monitored, but deviations, while\nmostly being acted upon by individual initiative, are unlikely to be detected by\nmanagement.\n4 Managed and Measurable when\nThere is full understanding of IT governance issues at all levels. There is a clear\nunderstanding of who the customer is, and responsibilities are defined and monitored\nthrough SLAs. Responsibilities are clear and process ownership is established. IT\nprocesses and IT governance are aligned with and integrated into the business and the\nIT strategy. Improvement in IT processes is based primarily upon a quantitative\nunderstanding, and it is possible to monitor and measure compliance with procedures\nand process metrics. All process stakeholders are aware of risks, the importance of IT\nand the opportunities it can offer. Management defines tolerances under which\nprocesses must operate. There is limited, primarily tactical, use of technology, based on\nmature techniques and enforced standard tools. IT governance has been integrated into\nstrategic and operational planning and monitoring processes. Performance indicators\nover all IT governance activities are being recorded and tracked, leading to enterprise\nwide improvements. Overall accountability of key process performance is clear, and\nmanagement is rewarded based on key performance measures.\n5 Optimized when\nThere is an advanced and forward-looking understanding of IT governance issues and\nsolutions. Training and communication are supported by leading-edge concepts and\ntechniques. Processes are refined to a level of industry good practice, based on results\nof continuous improvement and maturity modeling with other organizations. The\nimplementation of IT policies leads to an organization, people and processes that are\nquick to adapt and fully support IT governance requirements. All problems and\ndeviations are root cause analyzed, and efficient action is expediently identified and\ninitiated. IT is used in an extensive, integrated and optimized manner to automate the\n\n                                                                                       67\n\x0c                                                                           APPENDIX III\n\n\nworkflow and provide tools to improve quality and effectiveness. The risks and returns of\nthe IT processes are defined, balanced and communicated across the enterprise.\nExternal experts are leveraged and benchmarks are used for guidance. Monitoring, self-\nassessment and communication about governance expectations are pervasive within the\norganization, and there is optimal use of technology to support measurement, analysis,\ncommunication and training. Enterprise governance and IT governance are strategically\nlinked, leveraging technology and human and financial resources to increase the\ncompetitive advantage of the enterprise. IT governance activities are integrated with the\nenterprise governance process.\n\n\n\n\n                                                                                      68\n\x0cMAPPING NIST 800-53 REV 3\nWITH COBIT 4.1\n            Control Objective                       NIST SP 800-53 Revision 3\n                                             Coverage          Requirements\nPlan and Organize\nPO1    Define a Strategic IT Plan            A         SA-2, CA-7, and CM-2\nPO2    Define the Information Architecture   A         CM-1, CM-2, AC-3, SI-1, SI-4,\n                                                       SI-7, SI-10\nPO4    Define the IT Processes,              A         AC-5, AC-6, PS-2, PS-7\n       Organization and Relationships\nPO5    Manage the IT Investment              A         SA-2\nPO8    Manage Quality                        A         SA-3\nPO10 Manage Projects                         A         CA-1\nAcquire and Implement\nAI2    Acquire and Maintain Application      A         AU-2, SI-7, SI-10, SA-1, SA-3,\n       Software                                        SA-4, SA-8, SA-11, AC-3, IA-2,\n                                                       MA-2, and SC-2\nAI3     Acquire and Maintain Technology      A         SA-3, SA-4, SA-8, SA-11, MA-2\n        Infrastructure\nAI5     Procure IT Resources                 A         SA-1 and SA-4\nAI7     Install and Accredit Solutions and   A         CA-4 and CA-6\n        Changes\nDeliver and Support\nDS1     Define and Manage Service Levels     A         SA-9\nDS2     Manage Third-party Services          A         PS-7 and SA-9\nDS10 Manage Problems                         N/A\nMonitor and Evaluate\nME1 Monitor and Evaluate IT                  N/A\n        Performance\nME3 Ensure Compliance with External          N/A\n        Requirements\nME4 Provide IT Governance                    N/A\n\n\nLegend: (A) Some aspects are addressed\n        (N/A) Not addressed\n\n\n\n\n                                                                                69\n\x0c"